diff --git a/Dashboards/Images/Logos/ThycoticLogo.svg b/Dashboards/Images/Logos/ThycoticLogo.svg
new file mode 100644
index 0000000000..092758fd2a
--- /dev/null
+++ b/Dashboards/Images/Logos/ThycoticLogo.svg
@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 75 75"><defs><linearGradient x1="57.73" y1="41.36" x2="57.73" y2="48.82" gradientUnits="userSpaceOnUse"><stop offset="0.32" stop-color="#82bd41"/><stop offset="1" stop-color="#658d3d"/></linearGradient></defs><rect x="53.62" y="28.07" width="3.03" height="1.28" style="fill:#081f2d"/><rect x="53.61" y="30.2" width="3.08" height="9.18" style="fill:#081f2d"/><polygon points="51.61 28.07 48.56 28.07 48.56 30.21 47.27 30.21 47.27 31.38 48.56 31.38 48.56 39.38 51.61 39.38 51.61 31.38 52.69 31.38 52.69 30.21 51.61 30.21 51.61 28.07" style="fill:#081f2d"/><path d="M66.11,33.17V31.9a1.41,1.41,0,0,0-.91-1.25,6.42,6.42,0,0,0-3-.55,6.41,6.41,0,0,0-3.13.57A2.49,2.49,0,0,0,58,33v3.75A2.42,2.42,0,0,0,59.12,39a6.39,6.39,0,0,0,3.13.58,6.44,6.44,0,0,0,3-.54,1.44,1.44,0,0,0,.91-1.27V36.49H63.36v1.27a.54.54,0,0,1-.31.45,1.54,1.54,0,0,1-.86.21c-.76,0-1.15-.21-1.15-.64v-5.9c0-.42.39-.63,1.15-.63a1.63,1.63,0,0,1,.86.2.57.57,0,0,1,.31.45v1.27Z" style="fill:#081f2d"/><path d="M24.57,37.82c0,.26-.37.38-1.11.38-.89,0-1.33-.15-1.33-.47V30.19H19v7.63c0,1.1,1,1.66,3,1.66l1.06,0,.87,0a1.76,1.76,0,0,0,.66-.12v2.13c0,.16-.11.31-.34.44a1.81,1.81,0,0,1-.89.19,1.7,1.7,0,0,1-.89-.2c-.23-.14-.35-.29-.35-.45V40.13H19V41.4c0,.49.4.91,1.2,1.27a8,8,0,0,0,3.2.53,6.44,6.44,0,0,0,3.13-.57,2.51,2.51,0,0,0,1.09-2.3V30.19H24.57Z" style="fill:#081f2d"/><polygon points="6.6 28.07 3.56 28.07 3.56 30.21 2.04 30.21 2.04 31.38 3.56 31.38 3.56 39.38 6.6 39.38 6.6 31.38 8.11 31.38 8.11 30.21 6.6 30.21 6.6 28.07" style="fill:#081f2d"/><path d="M16.21,30.24a9.34,9.34,0,0,0-2.2-.18,5.06,5.06,0,0,0-1.81.26V28.07H9.31V39.38h2.95V31.31h1.66c.46,0,.69.2.69.61v7.46h2.78V31.49C17.39,30.87,17,30.45,16.21,30.24Z" style="fill:#081f2d"/><path d="M36.16,30.65a6.5,6.5,0,0,0-3-.55,6.44,6.44,0,0,0-3.13.57A2.51,2.51,0,0,0,29,33v3.75A2.44,2.44,0,0,0,30.07,39a6.42,6.42,0,0,0,3.13.58,6.51,6.51,0,0,0,3-.54,1.45,1.45,0,0,0,.9-1.27V36.49H34.32v1.27a.55.55,0,0,1-.32.45,1.52,1.52,0,0,1-.86.21c-.76,0-1.14-.21-1.14-.64v-5.9q0-.63,1.14-.63a1.61,1.61,0,0,1,.86.2.58.58,0,0,1,.32.45v1.27h2.74V31.9A1.41,1.41,0,0,0,36.16,30.65Z" style="fill:#081f2d"/><polygon points="51.25 41.36 56.67 41.36 64.22 48.82 58.38 48.82 51.25 41.36" style="fill:url(#linear-gradient)"/><path d="M45.53,30.54a6.31,6.31,0,0,0-3-.56,6.35,6.35,0,0,0-3.14.58,2.48,2.48,0,0,0-1.08,2.29V36.6a2.43,2.43,0,0,0,1.08,2.27,6.35,6.35,0,0,0,3.14.58,6.46,6.46,0,0,0,3-.54,1.44,1.44,0,0,0,.9-1.26V31.79A1.4,1.4,0,0,0,45.53,30.54Zm-1.84,6v1.07a.57.57,0,0,1-.31.45,1.63,1.63,0,0,1-.86.2c-.77,0-1.15-.21-1.15-.63v-5.9c0-.43.38-.64,1.15-.64a1.54,1.54,0,0,1,.86.21.54.54,0,0,1,.31.45v4.79Z" style="fill:#081f2d"/><polygon points="73.67 36.5 68.05 36.5 69.52 37.96 58.38 48.82 64.22 48.82 72.18 40.59 73.67 42.06 73.67 36.5" style="fill:#82bd41"/></svg>
\ No newline at end of file
diff --git a/Dashboards/Images/Preview/ThycoticDashboardDark.PNG b/Dashboards/Images/Preview/ThycoticDashboardDark.PNG
new file mode 100644
index 0000000000..8995a2eedd
Binary files /dev/null and b/Dashboards/Images/Preview/ThycoticDashboardDark.PNG differ
diff --git a/Dashboards/Images/Preview/ThycoticDashboardWhite.PNG b/Dashboards/Images/Preview/ThycoticDashboardWhite.PNG
new file mode 100644
index 0000000000..a84bade69b
Binary files /dev/null and b/Dashboards/Images/Preview/ThycoticDashboardWhite.PNG differ
diff --git a/Dashboards/Thycotic_Dashboard.json b/Dashboards/Thycotic_Dashboard.json
new file mode 100644
index 0000000000..2e594d3e7b
--- /dev/null
+++ b/Dashboards/Thycotic_Dashboard.json
@@ -0,0 +1,571 @@
+{
+  "properties": {
+    "lenses": {
+      "0": {
+        "order": 0,
+        "parts": {
+          "0": {
+            "position": {
+              "x": 0,
+              "y": 0,
+              "colSpan": 2,
+              "rowSpan": 1
+            },
+            "metadata": {
+              "inputs": [
+                {
+                  "name": "ComponentId",
+                  "value": {
+                    "SubscriptionId": "{Subscription_ID}",
+                    "ResourceGroup": "{Resource_Group}",
+                    "Name": "{Workspace_Name}",
+                    "LinkedApplicationType": 2,
+                    "ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic/providers/microsoft.operationalinsights/workspaces/thycotic02",
+                    "ResourceType": "microsoft.operationalinsights/workspaces",
+                    "IsAzureFirst": false
+                  }
+                },
+                {
+                  "name": "ResourceIds",
+                  "value": [
+                    "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic/providers/microsoft.operationalinsights/workspaces/thycotic02"
+                  ],
+                  "isOptional": true
+                },
+                {
+                  "name": "Type",
+                  "value": "sentinel",
+                  "isOptional": true
+                },
+                {
+                  "name": "TimeContext",
+                  "isOptional": true
+                },
+                {
+                  "name": "ConfigurationId",
+                  "value": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic/providers/microsoft.insights/workbooks/27acb77c-c5fb-4b01-9734-6ae39c497028",
+                  "isOptional": true
+                },
+                {
+                  "name": "ViewerMode",
+                  "value": false,
+                  "isOptional": true
+                },
+                {
+                  "name": "GalleryResourceType",
+                  "value": "Sentinel",
+                  "isOptional": true
+                },
+                {
+                  "name": "NotebookParams",
+                  "isOptional": true
+                },
+                {
+                  "name": "Location",
+                  "value": "eastus",
+                  "isOptional": true
+                },
+                {
+                  "name": "Version",
+                  "value": "1.0",
+                  "isOptional": true
+                }
+              ],
+              "type": "Extension/AppInsightsExtension/PartType/NotebookPinnedPart",
+              "viewState": {
+                "content": {
+                  "configurationId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic/providers/microsoft.insights/workbooks/27acb77c-c5fb-4b01-9734-6ae39c497028"
+                }
+              }
+            }
+          },
+          "1": {
+            "position": {
+              "x": 2,
+              "y": 0,
+              "colSpan": 19,
+              "rowSpan": 1
+            },
+            "metadata": {
+              "inputs": [],
+              "type": "Extension/HubsExtension/PartType/MarkdownPart",
+              "settings": {
+                "content": {
+                  "settings": {
+                    "content": "",
+                    "title": "Thycotic Dashboard",
+                    "subtitle": "Thycotic Dashboard",
+                    "markdownSource": 1
+                  }
+                }
+              }
+            }
+          },
+          "2": {
+            "position": {
+              "x": 0,
+              "y": 1,
+              "colSpan": 6,
+              "rowSpan": 9
+            },
+            "metadata": {
+              "inputs": [
+                {
+                  "name": "ComponentId",
+                  "value": {
+                    "SubscriptionId": "80e05ab0-5906-45a8-98ff-c9520c4b418b",
+                    "ResourceGroup": "thycotic",
+                    "Name": "thycotic02",
+                    "ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic/providers/microsoft.operationalinsights/workspaces/thycotic02"
+                  },
+                  "isOptional": true
+                },
+                {
+                  "name": "Dimensions",
+                  "value": {
+                    "xAxis": {
+                      "name": "Activity",
+                      "type": "string"
+                    },
+                    "yAxis": [
+                      {
+                        "name": "countRecord",
+                        "type": "long"
+                      }
+                    ],
+                    "splitBy": [],
+                    "aggregation": "Sum"
+                  },
+                  "isOptional": true
+                },
+                {
+                  "name": "Query",
+                  "value": "CommonSecurityLog\n| where LogSeverity == 2\n| summarize countRecord = count() by Activity\n| order by countRecord\n| take 10\n| project Activity, countRecord\n| render columnchart\n",
+                  "isOptional": true
+                },
+                {
+                  "name": "PartTitle",
+                  "value": "Analytics",
+                  "isOptional": true
+                },
+                {
+                  "name": "PartSubTitle",
+                  "value": "thycotic02",
+                  "isOptional": true
+                },
+                {
+                  "name": "PartId",
+                  "value": "72e66bad-16a3-4f42-a50c-a1c8d207833d",
+                  "isOptional": true
+                },
+                {
+                  "name": "Version",
+                  "value": "1.0",
+                  "isOptional": true
+                },
+                {
+                  "name": "resourceTypeMode",
+                  "value": "workspace",
+                  "isOptional": true
+                },
+                {
+                  "name": "TimeRange",
+                  "value": "P7D",
+                  "isOptional": true
+                },
+                {
+                  "name": "DashboardId",
+                  "isOptional": true
+                },
+                {
+                  "name": "ControlType",
+                  "value": "AnalyticsChart",
+                  "isOptional": true
+                },
+                {
+                  "name": "SpecificChart",
+                  "value": "Bar",
+                  "isOptional": true
+                }
+              ],
+              "type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
+              "settings": {
+                "content": {
+                  "PartTitle": "Recent activity",
+                  "PartSubTitle": "More used operations",
+                  "Query": "CommonSecurityLog\n| where LogSeverity == 2\n| summarize countRecord = count() by Activity\n| order by countRecord\n| take 5\n| project Activity, countRecord\n| render columnchart\n",
+                  "ControlType": "FrameControlChart",
+                  "SpecificChart": "Bar"
+                }
+              }
+            }
+          },
+          "3": {
+            "position": {
+              "x": 6,
+              "y": 1,
+              "colSpan": 11,
+              "rowSpan": 5
+            },
+            "metadata": {
+              "inputs": [
+                {
+                  "name": "ComponentId",
+                  "value": {
+                    "SubscriptionId": "80e05ab0-5906-45a8-98ff-c9520c4b418b",
+                    "ResourceGroup": "thycotic",
+                    "Name": "thycotic02",
+                    "ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic/providers/microsoft.operationalinsights/workspaces/thycotic02"
+                  },
+                  "isOptional": true
+                },
+                {
+                  "name": "Dimensions",
+                  "isOptional": true
+                },
+                {
+                  "name": "Query",
+                  "value": "CommonSecurityLog\n| where LogSeverity == 2\n| where FileType == \"Secret\"\n| extend SecretName = FileName\n| summarize countRecord = count(), lastDate = arg_max(TimeGenerated, *) by FileName\n| order by countRecord\n| project SecretName, countRecord, lastDate\n",
+                  "isOptional": true
+                },
+                {
+                  "name": "PartTitle",
+                  "value": "Analytics",
+                  "isOptional": true
+                },
+                {
+                  "name": "PartSubTitle",
+                  "value": "thycotic02",
+                  "isOptional": true
+                },
+                {
+                  "name": "PartId",
+                  "value": "684b8773-9d10-4767-810e-3a714b10806c",
+                  "isOptional": true
+                },
+                {
+                  "name": "Version",
+                  "value": "1.0",
+                  "isOptional": true
+                },
+                {
+                  "name": "resourceTypeMode",
+                  "value": "workspace",
+                  "isOptional": true
+                },
+                {
+                  "name": "TimeRange",
+                  "value": "P1D",
+                  "isOptional": true
+                },
+                {
+                  "name": "DashboardId",
+                  "isOptional": true
+                },
+                {
+                  "name": "ControlType",
+                  "value": "AnalyticsGrid",
+                  "isOptional": true
+                },
+                {
+                  "name": "SpecificChart",
+                  "isOptional": true
+                }
+              ],
+              "type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
+              "settings": {
+                "content": {
+                  "PartTitle": "Recent secrets",
+                  "PartSubTitle": "Most used secrets",
+                  "Query": "CommonSecurityLog\n| where LogSeverity == 2\n| where FileType == \"Secret\"\n| extend SecretName = FileName\n| summarize countRecord = count(), lastDate = arg_max(TimeGenerated, *) by FileName\n| order by countRecord\n| project SecretName, Count = countRecord,LastDate =  lastDate\n"
+                }
+              }
+            }
+          },
+          "4": {
+            "position": {
+              "x": 17,
+              "y": 1,
+              "colSpan": 4,
+              "rowSpan": 9
+            },
+            "metadata": {
+              "inputs": [
+                {
+                  "name": "ComponentId",
+                  "value": {
+                    "SubscriptionId": "80e05ab0-5906-45a8-98ff-c9520c4b418b",
+                    "ResourceGroup": "thycotic",
+                    "Name": "thycotic02",
+                    "ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic/providers/microsoft.operationalinsights/workspaces/thycotic02"
+                  },
+                  "isOptional": true
+                },
+                {
+                  "name": "Dimensions",
+                  "isOptional": true
+                },
+                {
+                  "name": "Query",
+                  "value": "CommonSecurityLog\n| where LogSeverity == 2\n| where TimeGenerated > ago(1d)\n| summarize count() by Activity, FileName\n| where Activity == \"SECRET - EXPIREDTODAY\"\n| project SecretName = FileName\n",
+                  "isOptional": true
+                },
+                {
+                  "name": "PartTitle",
+                  "value": "Analytics",
+                  "isOptional": true
+                },
+                {
+                  "name": "PartSubTitle",
+                  "value": "thycotic02",
+                  "isOptional": true
+                },
+                {
+                  "name": "PartId",
+                  "value": "1559840a-5e39-455a-a89d-bf59cf14676d",
+                  "isOptional": true
+                },
+                {
+                  "name": "Version",
+                  "value": "1.0",
+                  "isOptional": true
+                },
+                {
+                  "name": "resourceTypeMode",
+                  "value": "workspace",
+                  "isOptional": true
+                },
+                {
+                  "name": "TimeRange",
+                  "isOptional": true
+                },
+                {
+                  "name": "DashboardId",
+                  "isOptional": true
+                },
+                {
+                  "name": "ControlType",
+                  "value": "AnalyticsGrid",
+                  "isOptional": true
+                },
+                {
+                  "name": "SpecificChart",
+                  "isOptional": true
+                }
+              ],
+              "type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
+              "settings": {
+                "content": {
+                  "PartTitle": "Expired secrets today",
+                  "PartSubTitle": "Expired secrets"
+                }
+              }
+            }
+          },
+          "5": {
+            "position": {
+              "x": 6,
+              "y": 6,
+              "colSpan": 11,
+              "rowSpan": 4
+            },
+            "metadata": {
+              "inputs": [
+                {
+                  "name": "ComponentId",
+                  "value": {
+                    "SubscriptionId": "80e05ab0-5906-45a8-98ff-c9520c4b418b",
+                    "ResourceGroup": "thycotic",
+                    "Name": "thycotic02",
+                    "ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourceGroups/thycotic/providers/Microsoft.OperationalInsights/workspaces/thycotic02"
+                  },
+                  "isOptional": true
+                },
+                {
+                  "name": "Dimensions",
+                  "isOptional": true
+                },
+                {
+                  "name": "Query",
+                  "value": "CommonSecurityLog\r\n| where TimeGenerated >= ago(10d)\r\n| where DeviceVendor == 'Thycotic Software' \r\n| where Message contains 'Login Failure'\r\n| parse Message with 'Login Failure - ' ErrorDetails\r\n| extend Application = 'Secret Server'\r\n| where DeviceEventClassID == '500'\r\n| summarize Login_Failures=count(), First=min(TimeGenerated), Last=max(TimeGenerated) by Application, ErrorDetails\r\n| sort by Login_Failures desc\r\n| where Login_Failures >= 5\r\n| extend AccountCustomEntity = ErrorDetails\r\n",
+                  "isOptional": true
+                },
+                {
+                  "name": "PartTitle",
+                  "value": "Analytics",
+                  "isOptional": true
+                },
+                {
+                  "name": "PartSubTitle",
+                  "value": "thycotic02",
+                  "isOptional": true
+                },
+                {
+                  "name": "PartId",
+                  "value": "11de89b3-92bf-4008-a195-bfb27e2abef3",
+                  "isOptional": true
+                },
+                {
+                  "name": "Version",
+                  "value": "1.0",
+                  "isOptional": true
+                },
+                {
+                  "name": "resourceTypeMode",
+                  "value": "workspace",
+                  "isOptional": true
+                },
+                {
+                  "name": "TimeRange",
+                  "isOptional": true
+                },
+                {
+                  "name": "DashboardId",
+                  "isOptional": true
+                },
+                {
+                  "name": "ControlType",
+                  "value": "AnalyticsGrid",
+                  "isOptional": true
+                },
+                {
+                  "name": "SpecificChart",
+                  "isOptional": true
+                }
+              ],
+              "type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
+              "settings": {
+                "content": {
+                  "PartTitle": "Login Failure",
+                  "PartSubTitle": "Login Failure",
+                  "Query": "CommonSecurityLog\n| where TimeGenerated >= ago(1d)\n| where DeviceVendor == 'Thycotic Software' \n| where Message contains 'Login Failure'\n| parse Message with 'Login Failure - ' ErrorDetails\n| extend Application = 'Secret Server'\n| where DeviceEventClassID == '500'\n| summarize Login_Failures=count(), First=min(TimeGenerated), Last=max(TimeGenerated) by Application, ErrorDetails\n| sort by Login_Failures desc\n| where Login_Failures >= 5\n| extend AccountCustomEntity = ErrorDetails\n"
+                }
+              }
+            }
+          },
+          "6": {
+            "position": {
+              "x": 0,
+              "y": 10,
+              "colSpan": 21,
+              "rowSpan": 5
+            },
+            "metadata": {
+              "inputs": [
+                {
+                  "name": "ComponentId",
+                  "value": {
+                    "SubscriptionId": "80e05ab0-5906-45a8-98ff-c9520c4b418b",
+                    "ResourceGroup": "thycotic",
+                    "Name": "thycotic02",
+                    "ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourceGroups/thycotic/providers/Microsoft.OperationalInsights/workspaces/thycotic02"
+                  },
+                  "isOptional": true
+                },
+                {
+                  "name": "Dimensions",
+                  "isOptional": true
+                },
+                {
+                  "name": "Query",
+                  "value": "CommonSecurityLog\r\n| project TimeGenerated,LogSeverity, Message, SourceIP, Activity, DestinationUserID, FileID,FileType,FileName,SourceUserID,SourceUserName, DeviceCustomString4\n",
+                  "isOptional": true
+                },
+                {
+                  "name": "PartTitle",
+                  "value": "Analytics",
+                  "isOptional": true
+                },
+                {
+                  "name": "PartSubTitle",
+                  "value": "thycotic02",
+                  "isOptional": true
+                },
+                {
+                  "name": "PartId",
+                  "value": "1235b776-14b3-46cb-8f81-0f8734fa14c0",
+                  "isOptional": true
+                },
+                {
+                  "name": "Version",
+                  "value": "1.0",
+                  "isOptional": true
+                },
+                {
+                  "name": "resourceTypeMode",
+                  "value": "workspace",
+                  "isOptional": true
+                },
+                {
+                  "name": "TimeRange",
+                  "value": "P1D",
+                  "isOptional": true
+                },
+                {
+                  "name": "DashboardId",
+                  "isOptional": true
+                },
+                {
+                  "name": "ControlType",
+                  "value": "AnalyticsGrid",
+                  "isOptional": true
+                },
+                {
+                  "name": "SpecificChart",
+                  "isOptional": true
+                }
+              ],
+              "type": "Extension/AppInsightsExtension/PartType/AnalyticsPart",
+              "settings": {}
+            }
+          }
+        }
+      }
+    },
+    "metadata": {
+      "model": {
+        "timeRange": {
+          "value": {
+            "relative": {
+              "duration": 24,
+              "timeUnit": 1
+            }
+          },
+          "type": "MsPortalFx.Composition.Configuration.ValueTypes.TimeRange"
+        },
+        "filterLocale": {
+          "value": "en-us"
+        },
+        "filters": {
+          "value": {
+            "MsPortalFx_TimeRange": {
+              "model": {
+                "format": "utc",
+                "granularity": "auto",
+                "relative": "30d"
+              },
+              "displayCache": {
+                "name": "UTC Time",
+                "value": "Past 30 days"
+              },
+              "filteredPartIds": [
+                "StartboardPart-AnalyticsPart-6e2f774f-9aaf-42a8-9a7e-2ef2473bf1c1",
+                "StartboardPart-AnalyticsPart-6e2f774f-9aaf-42a8-9a7e-2ef2473bf1c3",
+                "StartboardPart-AnalyticsPart-6e2f774f-9aaf-42a8-9a7e-2ef2473bf1c5",
+                "StartboardPart-AnalyticsPart-6e2f774f-9aaf-42a8-9a7e-2ef2473bf1c7",
+                "StartboardPart-AnalyticsPart-6e2f774f-9aaf-42a8-9a7e-2ef2473bf1c9"
+              ]
+            }
+          }
+        }
+      }
+    }
+  },
+  "name": "Thycotic Dashboard",
+  "type": "Microsoft.Portal/dashboards",
+  "location": "INSERT LOCATION",
+  "tags": {
+    "hidden-title": "Thycotic Dashboard"
+  },
+  "apiVersion": "2015-08-01-preview"
+}
\ No newline at end of file
diff --git a/DataConnectors/ThycoticSecretServer_CEF.json b/DataConnectors/ThycoticSecretServer_CEF.json
new file mode 100644
index 0000000000..bf84a15ff7
--- /dev/null
+++ b/DataConnectors/ThycoticSecretServer_CEF.json
@@ -0,0 +1,124 @@
+{
+    "id": "ThycoticSecretServer_CEF",
+    "title": "Thycotic Secret Server",
+    "publisher": "Thycotic, Inc",
+    "descriptionMarkdown": "Common Event Format (CEF) from Thycotic Secret Server ",
+    "graphQueries": [
+        {
+            "metricName": "Total data received",
+            "legend": "CommonSecurityLog (Thycotic Secret Server)",
+            "baseQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"Thycotic Software\"\n| where DeviceProduct == \"Secret Server\"\n"
+        }
+    ],
+    "sampleQueries": [
+        {
+            "description" : "Get records create new secret",
+            "query": "CommonSecurityLog\n| where DeviceVendor == \"Thycotic Software\"\n| where DeviceProduct == \"Secret Server\"\n| where Activity contains \"SECRET - CREATE\""
+        },
+        {
+            "description" : "Get records where view secret",
+            "query" :"CommonSecurityLog\n| where DeviceVendor == \"Thycotic Software\"\n| where DeviceProduct == \"Secret Server\"\n| where Activity contains \"SECRET - VIEW\""
+        }
+    ],
+    "dataTypes": [
+        {
+            "name": "CommonSecurityLog (Thycotic Secret Server)",
+            "lastDataReceivedQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"Thycotic Software\"\n| where DeviceProduct == \"Secret Server\"\n\n            | summarize Time = max(TimeGenerated)\n            | where isnotempty(Time)"
+        }
+    ],
+    "connectivityCriterias": [
+        {
+            "type": "IsConnectedQuery",
+            "value": [
+                "\nCommonSecurityLog\n| where DeviceVendor == \"Thycotic Software\"\n| where DeviceProduct == \"Secret Server\"\n\n            | summarize LastLogReceived = max(TimeGenerated)\n            | project IsConnected = LastLogReceived > ago(30d)"
+            ]
+        }
+    ],
+    "availability": {
+        "status": 1,
+        "isPreview": true
+    },
+    "permissions": {
+        "resourceProvider": [
+            {
+                "provider": "Microsoft.OperationalInsights/workspaces",
+                "permissionsDisplayText": "read and write permissions are required.",
+                "providerDisplayName": "Workspace",
+                "scope": "Workspace",
+                "requiredPermissions": {
+                    "read": true,
+                    "write": true,
+                    "delete": true
+                }
+            },
+            {
+                "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+                "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+                "providerDisplayName": "Keys",
+                "scope": "Workspace",
+                "requiredPermissions": {
+                    "action": true
+                }
+            }
+        ],
+        "customs": [
+            {
+                "name": "Thycotic Secret Server",
+                "description": "must be configured to export logs via Syslog \n\n   [Learn more about configure Secret Server](https://thy.center/ss/link/syslog)"
+            }
+        ]
+    },
+    "instructionSteps": [
+        {
+            "title": "1. Linux Syslog agent configuration",
+            "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Azure Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
+            "innerSteps": [
+                {
+                    "title": "1.1 Select or create a Linux machine",
+                    "description": "Select or create a Linux machine that Azure Sentinel will use as the proxy between your security solution and Azure Sentinel this machine can be on your on-prem environment, Azure or other clouds."
+                },
+                {
+                    "title": "1.2 Install the CEF collector on the Linux machine",
+                    "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Azure Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
+                    "instructions": [
+                        {
+                            "parameters": {
+                                "fillWith": [
+                                    "WorkspaceId",
+                                    "PrimaryKey"
+                                ],
+                                "label": "Run the following command to install and apply the CEF collector:",
+                                "value": "sudo wget https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
+                            },
+                            "type": "CopyableLabel"
+                        }
+                    ]
+                }
+            ]
+        },
+        {
+            "title": "2. Forward Common Event Format (CEF) logs to Syslog agent",
+            "description": "Set your security solution to send Syslog messages in CEF format to the proxy machine. Make sure you to send the logs to port 514 TCP on the machine's IP address."
+        },
+        {
+            "title": "3. Validate connection",
+            "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine",
+            "instructions": [
+                {
+                    "parameters": {
+                        "fillWith": [
+                            "WorkspaceId"
+                        ],
+                        "label": "Run the following command to validate your connectivity:",
+                        "value": "sudo wget https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py  {0}"
+                    },
+                    "type": "CopyableLabel"
+                }
+            ]
+        },
+        {
+            "title": "4. Secure your machine ",
+            "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)"
+        }
+    ]
+}
diff --git a/Logos/ThycoticLogo.svg b/Logos/ThycoticLogo.svg
new file mode 100644
index 0000000000..092758fd2a
--- /dev/null
+++ b/Logos/ThycoticLogo.svg
@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 75 75"><defs><linearGradient x1="57.73" y1="41.36" x2="57.73" y2="48.82" gradientUnits="userSpaceOnUse"><stop offset="0.32" stop-color="#82bd41"/><stop offset="1" stop-color="#658d3d"/></linearGradient></defs><rect x="53.62" y="28.07" width="3.03" height="1.28" style="fill:#081f2d"/><rect x="53.61" y="30.2" width="3.08" height="9.18" style="fill:#081f2d"/><polygon points="51.61 28.07 48.56 28.07 48.56 30.21 47.27 30.21 47.27 31.38 48.56 31.38 48.56 39.38 51.61 39.38 51.61 31.38 52.69 31.38 52.69 30.21 51.61 30.21 51.61 28.07" style="fill:#081f2d"/><path d="M66.11,33.17V31.9a1.41,1.41,0,0,0-.91-1.25,6.42,6.42,0,0,0-3-.55,6.41,6.41,0,0,0-3.13.57A2.49,2.49,0,0,0,58,33v3.75A2.42,2.42,0,0,0,59.12,39a6.39,6.39,0,0,0,3.13.58,6.44,6.44,0,0,0,3-.54,1.44,1.44,0,0,0,.91-1.27V36.49H63.36v1.27a.54.54,0,0,1-.31.45,1.54,1.54,0,0,1-.86.21c-.76,0-1.15-.21-1.15-.64v-5.9c0-.42.39-.63,1.15-.63a1.63,1.63,0,0,1,.86.2.57.57,0,0,1,.31.45v1.27Z" style="fill:#081f2d"/><path d="M24.57,37.82c0,.26-.37.38-1.11.38-.89,0-1.33-.15-1.33-.47V30.19H19v7.63c0,1.1,1,1.66,3,1.66l1.06,0,.87,0a1.76,1.76,0,0,0,.66-.12v2.13c0,.16-.11.31-.34.44a1.81,1.81,0,0,1-.89.19,1.7,1.7,0,0,1-.89-.2c-.23-.14-.35-.29-.35-.45V40.13H19V41.4c0,.49.4.91,1.2,1.27a8,8,0,0,0,3.2.53,6.44,6.44,0,0,0,3.13-.57,2.51,2.51,0,0,0,1.09-2.3V30.19H24.57Z" style="fill:#081f2d"/><polygon points="6.6 28.07 3.56 28.07 3.56 30.21 2.04 30.21 2.04 31.38 3.56 31.38 3.56 39.38 6.6 39.38 6.6 31.38 8.11 31.38 8.11 30.21 6.6 30.21 6.6 28.07" style="fill:#081f2d"/><path d="M16.21,30.24a9.34,9.34,0,0,0-2.2-.18,5.06,5.06,0,0,0-1.81.26V28.07H9.31V39.38h2.95V31.31h1.66c.46,0,.69.2.69.61v7.46h2.78V31.49C17.39,30.87,17,30.45,16.21,30.24Z" style="fill:#081f2d"/><path d="M36.16,30.65a6.5,6.5,0,0,0-3-.55,6.44,6.44,0,0,0-3.13.57A2.51,2.51,0,0,0,29,33v3.75A2.44,2.44,0,0,0,30.07,39a6.42,6.42,0,0,0,3.13.58,6.51,6.51,0,0,0,3-.54,1.45,1.45,0,0,0,.9-1.27V36.49H34.32v1.27a.55.55,0,0,1-.32.45,1.52,1.52,0,0,1-.86.21c-.76,0-1.14-.21-1.14-.64v-5.9q0-.63,1.14-.63a1.61,1.61,0,0,1,.86.2.58.58,0,0,1,.32.45v1.27h2.74V31.9A1.41,1.41,0,0,0,36.16,30.65Z" style="fill:#081f2d"/><polygon points="51.25 41.36 56.67 41.36 64.22 48.82 58.38 48.82 51.25 41.36" style="fill:url(#linear-gradient)"/><path d="M45.53,30.54a6.31,6.31,0,0,0-3-.56,6.35,6.35,0,0,0-3.14.58,2.48,2.48,0,0,0-1.08,2.29V36.6a2.43,2.43,0,0,0,1.08,2.27,6.35,6.35,0,0,0,3.14.58,6.46,6.46,0,0,0,3-.54,1.44,1.44,0,0,0,.9-1.26V31.79A1.4,1.4,0,0,0,45.53,30.54Zm-1.84,6v1.07a.57.57,0,0,1-.31.45,1.63,1.63,0,0,1-.86.2c-.77,0-1.15-.21-1.15-.63v-5.9c0-.43.38-.64,1.15-.64a1.54,1.54,0,0,1,.86.21.54.54,0,0,1,.31.45v4.79Z" style="fill:#081f2d"/><polygon points="73.67 36.5 68.05 36.5 69.52 37.96 58.38 48.82 64.22 48.82 72.18 40.59 73.67 42.06 73.67 36.5" style="fill:#82bd41"/></svg>
\ No newline at end of file
diff --git a/Sample Data/CEF/ThycoticSourceData.csv b/Sample Data/CEF/ThycoticSourceData.csv
new file mode 100644
index 0000000000..f22e97c435
--- /dev/null
+++ b/Sample Data/CEF/ThycoticSourceData.csv	
@@ -0,0 +1,241 @@
+TenantId,SourceSystem,TimeGenerated,ReceiptTime,DeviceVendor,DeviceProduct,DeviceEventClassID,LogSeverity,OriginalLogSeverity,DeviceAction,SimplifiedDeviceAction,Computer,CommunicationDirection,DeviceFacility,DestinationPort,DestinationIP,DeviceAddress,DeviceName,Message,Protocol,SourcePort,SourceIP,RemoteIP,RemotePort,MaliciousIP,ThreatSeverity,IndicatorThreatType,ThreatDescription,ThreatConfidence,ReportReferenceLink,MaliciousIPLongitude,MaliciousIPLatitude,MaliciousIPCountry,DeviceVersion,Activity,ApplicationProtocol,EventCount,DestinationDnsDomain,DestinationServiceName,DestinationTranslatedAddress,DestinationTranslatedPort,DeviceDnsDomain,DeviceExternalID,DeviceInboundInterface,DeviceNtDomain,DeviceOutboundInterface,DevicePayloadId,ProcessName,DeviceTranslatedAddress,DestinationHostName,DestinationMACAddress,DestinationNTDomain,DestinationProcessId,DestinationUserPrivileges,DestinationProcessName,DeviceTimeZone,DestinationUserID,DestinationUserName,DeviceMacAddress,ProcessID,ExternalID,FileCreateTime,FileHash,FileID,FileModificationTime,FilePath,FilePermission,FileType,FileName,FileSize,ReceivedBytes,OldFileCreateTime,OldFileHash,OldFileID,OldFileModificationTime,OldFileName,OldFilePath,OldFilePermission,OldFileSize,OldFileType,SentBytes,RequestURL,RequestClientApplication,RequestContext,RequestCookies,RequestMethod,SourceHostName,SourceMACAddress,SourceNTDomain,SourceDnsDomain,SourceServiceName,SourceTranslatedAddress,SourceTranslatedPort,SourceProcessId,SourceUserPrivileges,SourceProcessName,SourceUserID,SourceUserName,EventType,DeviceCustomIPv6Address1,DeviceCustomIPv6Address1Label,DeviceCustomIPv6Address2,DeviceCustomIPv6Address2Label,DeviceCustomIPv6Address3,DeviceCustomIPv6Address3Label,DeviceCustomIPv6Address4,DeviceCustomIPv6Address4Label,DeviceCustomFloatingPoint1,DeviceCustomFloatingPoint1Label,DeviceCustomFloatingPoint2,DeviceCustomFloatingPoint2Label,DeviceCustomFloatingPoint3,DeviceCustomFloatingPoint3Label,DeviceCustomFloatingPoint4,DeviceCustomFloatingPoint4Label,DeviceCustomNumber1,DeviceCustomNumber1Label,DeviceCustomNumber2,DeviceCustomNumber2Label,DeviceCustomNumber3,DeviceCustomNumber3Label,DeviceCustomString1,DeviceCustomString1Label,DeviceCustomString2,DeviceCustomString2Label,DeviceCustomString3,DeviceCustomString3Label,DeviceCustomString4,DeviceCustomString4Label,DeviceCustomString5,DeviceCustomString5Label,DeviceCustomString6,DeviceCustomString6Label,DeviceCustomDate1,DeviceCustomDate1Label,DeviceCustomDate2,DeviceCustomDate2Label,FlexDate1,FlexDate1Label,FlexNumber1,FlexNumber1Label,FlexNumber2,FlexNumber2Label,FlexString1,FlexString1Label,FlexString2,FlexString2Label,AdditionalExtensions,StartTime,EndTime,Type,"_ResourceId"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:59:29.239Z","Sep 02 2020 12:59:19","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: Ibrahim1 Item Name: Ibrahim1 (Item Id: 22) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,22,Ibrahim1,,null,null,,,22,,,,User,Ibrahim1,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,22,Ibrahim1,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,AIbrahim,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T13:00:39.159Z","Sep 02 2020 13:00:37","Thycotic Software","Secret Server",10004,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [View] By User: Ibrahim1 Item Name:     ktukuytk (Item Id: 11100) Container Name: Folder3s23xyjyh (Container Id: 265) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","SECRET - VIEW",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,11100,,,,Secret,"    ktukuytk",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,22,Ibrahim1,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,Folder3s23xyjyh,Folder,AIbrahim,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T13:00:39.196Z","Sep 02 2020 13:00:37","Thycotic Software","Secret Server",10039,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Password Displayed] By User: Ibrahim1 Item Name:     ktukuytk (Item Id: 11100) Container Name: Folder3s23xyjyh (Container Id: 265) Details:  Fields: (Password)",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","SECRET - PASSWORD_DISPLAYED",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,11100,,,,Secret,"    ktukuytk",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,22,Ibrahim1,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,Folder3s23xyjyh,Folder,AIbrahim,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:15:09.152Z","Sep 02 2020 12:14:59","Thycotic Software","Secret Server",10004,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [View] By User: Ibrahim1 Item Name:     ktukuytk (Item Id: 11100) Container Name: Folder3s23xyjyh (Container Id: 265) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","SECRET - VIEW",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,11100,,,,Secret,"    ktukuytk",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,22,Ibrahim1,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,Folder3s23xyjyh,Folder,AIbrahim,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:15:09.186Z","Sep 02 2020 12:14:59","Thycotic Software","Secret Server",10039,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Password Displayed] By User: Ibrahim1 Item Name:     ktukuytk (Item Id: 11100) Container Name: Folder3s23xyjyh (Container Id: 265) Details:  Fields: (Password)",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","SECRET - PASSWORD_DISPLAYED",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,11100,,,,Secret,"    ktukuytk",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,22,Ibrahim1,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,Folder3s23xyjyh,Folder,AIbrahim,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:19:09.222Z","Sep 02 2020 12:19:00","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: Ibrahim1 Item Name: Ibrahim1 (Item Id: 22) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,22,Ibrahim1,,null,null,,,22,,,,User,Ibrahim1,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,22,Ibrahim1,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,AIbrahim,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:20:59.244Z","Sep 02 2020 12:20:49","Thycotic Software","Secret Server",10145,2,,,,,,,null,,,,"[[SecretServer]] Event: [Domain] Action: [Synchronize] By User: ThycoticSystem Details:  Active Directory Sync Initiated",,null,,,,,null,,,,,null,null,,"10.9.000000","DOMAIN - SYNCHRONIZE",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,,,,,,,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,1,ThycoticSystem,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,ThycoticSystem,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:28:39.22Z","Sep 02 2020 12:28:30","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: Ibrahim1 Item Name: Ibrahim1 (Item Id: 22) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,22,Ibrahim1,,null,null,,,22,,,,User,Ibrahim1,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,22,Ibrahim1,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,AIbrahim,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:28:49.138Z","Sep 02 2020 12:28:39","Thycotic Software","Secret Server",10004,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [View] By User: Ibrahim1 Item Name:     ktukuytk (Item Id: 11100) Container Name: Folder3s23xyjyh (Container Id: 265) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","SECRET - VIEW",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,11100,,,,Secret,"    ktukuytk",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,22,Ibrahim1,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,Folder3s23xyjyh,Folder,AIbrahim,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:28:49.171Z","Sep 02 2020 12:28:39","Thycotic Software","Secret Server",10039,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Password Displayed] By User: Ibrahim1 Item Name:     ktukuytk (Item Id: 11100) Container Name: Folder3s23xyjyh (Container Id: 265) Details:  Fields: (Password)",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","SECRET - PASSWORD_DISPLAYED",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,11100,,,,Secret,"    ktukuytk",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,22,Ibrahim1,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,Folder3s23xyjyh,Folder,AIbrahim,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:29:09.304Z","Sep 02 2020 12:29:04","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: Ibrahim1 Item Name: Ibrahim1 (Item Id: 22) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,22,Ibrahim1,,null,null,,,22,,,,User,Ibrahim1,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,22,Ibrahim1,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,AIbrahim,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:33:49.244Z","Sep 02 2020 12:33:39","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: max Item Name: max (Item Id: 4) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,4,max,,null,null,,,4,,,,User,max,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,4,max,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,Max,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:33:49.262Z","Sep 02 2020 12:33:41","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: max Item Name: max (Item Id: 4) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,4,max,,null,null,,,4,,,,User,max,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,4,max,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,Max,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:34:19.157Z","Sep 02 2020 12:34:10","Thycotic Software","Secret Server",10004,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [View] By User: max Item Name: RDP + SSH PROXY (Item Id: 11022) Container Name: RDP (Container Id: 32) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","SECRET - VIEW",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,11022,,,,Secret,"RDP + SSH PROXY",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,4,max,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,RDP,Folder,Max,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:34:19.194Z","Sep 02 2020 12:34:15","Thycotic Software","Secret Server",10004,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [View] By User: max Item Name: RDP Proxy (Item Id: 10349) Container Name: RDP (Container Id: 32) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","SECRET - VIEW",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10349,,,,Secret,"RDP Proxy",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,4,max,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,RDP,Folder,Max,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:34:19.242Z","Sep 02 2020 12:34:18","Thycotic Software","Secret Server",10006,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Launch] By User: max Item Name: RDP Proxy (Item Id: 10349) Container Name: RDP (Container Id: 32) Details:  Remote Desktop",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","SECRET - LAUNCH",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10349,,,,Secret,"RDP Proxy",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,4,max,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,RDP,Folder,Max,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:34:49.171Z","Sep 02 2020 12:34:47","Thycotic Software","Secret Server",10004,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [View] By User: max Item Name: RDP (no custom window size) (Item Id: 10473) Container Name: RDP (Container Id: 32) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","SECRET - VIEW",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10473,,,,Secret,"RDP (no custom window size)",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,4,max,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,RDP,Folder,Max,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:34:59.151Z","Sep 02 2020 12:34:51","Thycotic Software","Secret Server",10006,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Launch] By User: max Item Name: RDP (no custom window size) (Item Id: 10473) Container Name: RDP (Container Id: 32) Details:  Remote Desktop",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","SECRET - LAUNCH",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10473,,,,Secret,"RDP (no custom window size)",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,4,max,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,RDP,Folder,Max,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:35:09.153Z","Sep 02 2020 12:35:04","Thycotic Software","Secret Server",10004,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [View] By User: Ibrahim1 Item Name:     ktukuytk (Item Id: 11100) Container Name: Folder3s23xyjyh (Container Id: 265) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","SECRET - VIEW",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,11100,,,,Secret,"    ktukuytk",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,22,Ibrahim1,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,Folder3s23xyjyh,Folder,AIbrahim,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:35:09.277Z","Sep 02 2020 12:35:04","Thycotic Software","Secret Server",10039,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Password Displayed] By User: Ibrahim1 Item Name:     ktukuytk (Item Id: 11100) Container Name: Folder3s23xyjyh (Container Id: 265) Details:  Fields: (Password)",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","SECRET - PASSWORD_DISPLAYED",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,11100,,,,Secret,"    ktukuytk",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,22,Ibrahim1,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,Folder3s23xyjyh,Folder,AIbrahim,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:37:39.231Z","Sep 02 2020 12:37:32","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: max Item Name: max (Item Id: 4) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,4,max,,null,null,,,4,,,,User,max,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,4,max,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,Max,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:03:59.236Z","Sep 02 2020 12:03:50","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: max Item Name: max (Item Id: 4) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,4,max,,null,null,,,4,,,,User,max,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,4,max,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,Max,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:03:59.273Z","Sep 02 2020 12:03:51","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: max Item Name: max (Item Id: 4) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,4,max,,null,null,,,4,,,,User,max,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,4,max,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,Max,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:03:59.313Z","Sep 02 2020 12:03:58","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: max Item Name: max (Item Id: 4) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,4,max,,null,null,,,4,,,,User,max,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,4,max,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,Max,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:04:19.243Z","Sep 02 2020 12:04:17","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: max Item Name: max (Item Id: 4) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,4,max,,null,null,,,4,,,,User,max,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,4,max,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,Max,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:04:19.26Z","Sep 02 2020 12:04:18","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: max Item Name: max (Item Id: 4) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,4,max,,null,null,,,4,,,,User,max,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,4,max,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,Max,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:04:29.22Z","Sep 02 2020 12:04:22","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: max Item Name: max (Item Id: 4) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,4,max,,null,null,,,4,,,,User,max,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,4,max,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,Max,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:04:39.252Z","Sep 02 2020 12:04:33","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: max Item Name: max (Item Id: 4) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,4,max,,null,null,,,4,,,,User,max,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,4,max,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,Max,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:04:39.273Z","Sep 02 2020 12:04:34","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: max Item Name: max (Item Id: 4) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,4,max,,null,null,,,4,,,,User,max,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,4,max,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,Max,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:04:39.296Z","Sep 02 2020 12:04:38","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: max Item Name: max (Item Id: 4) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,4,max,,null,null,,,4,,,,User,max,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,4,max,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,Max,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:05:39.211Z","Sep 02 2020 12:05:33","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: Ibrahim1 Item Name: Ibrahim1 (Item Id: 22) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,22,Ibrahim1,,null,null,,,22,,,,User,Ibrahim1,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,22,Ibrahim1,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,AIbrahim,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:06:29.249Z","Sep 02 2020 12:06:20","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: max Item Name: max (Item Id: 4) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,4,max,,null,null,,,4,,,,User,max,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,4,max,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,Max,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:07:09.223Z","Sep 02 2020 12:07:02","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: max Item Name: max (Item Id: 4) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,4,max,,null,null,,,4,,,,User,max,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,4,max,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,Max,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:08:59.217Z","Sep 02 2020 12:08:56","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: Ibrahim1 Item Name: Ibrahim1 (Item Id: 22) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,22,Ibrahim1,,null,null,,,22,,,,User,Ibrahim1,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,22,Ibrahim1,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,AIbrahim,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T11:38:49.619Z","Sep 02 2020 11:38:46","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: Ibrahim1 Item Name: Ibrahim1 (Item Id: 22) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,22,Ibrahim1,,null,null,,,22,,,,User,Ibrahim1,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,22,Ibrahim1,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,AIbrahim,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T11:39:09.221Z","Sep 02 2020 11:39:04","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: dima1 Item Name: dima1 (Item Id: 17) ",,null,"188.163.82.22",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,17,dima1,,null,null,,,17,,,,User,dima1,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,17,dima1,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,"Murzak Dmitriy","suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T11:39:09.237Z","Sep 02 2020 11:39:04","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: dima1 Item Name: dima1 (Item Id: 17) ",,null,"188.163.82.22",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,17,dima1,,null,null,,,17,,,,User,dima1,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,17,dima1,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,"Murzak Dmitriy","suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T11:44:49.265Z","Sep 02 2020 11:44:48","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: max Item Name: max (Item Id: 4) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,4,max,,null,null,,,4,,,,User,max,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,4,max,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,Max,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T11:45:29.254Z","Sep 02 2020 11:45:25","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: Ibrahim1 Item Name: Ibrahim1 (Item Id: 22) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,22,Ibrahim1,,null,null,,,22,,,,User,Ibrahim1,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,22,Ibrahim1,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,AIbrahim,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T11:45:59.146Z","Sep 02 2020 11:45:50","Thycotic Software","Secret Server",10019,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Session Recording View] By User: ThycoticSystem Item Name: RDP Proxy (Item Id: 10349) Container Name: RDP (Container Id: 32) Details:  Session Recording (0:00) on 09/02/2020 11:15 AM by Max",,null,,,,,null,,,,,null,null,,"10.9.000000","SECRET - SESSION RECORDING VIEW",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10349,,,,Secret,"RDP Proxy",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,1,ThycoticSystem,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,RDP,Folder,ThycoticSystem,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T11:48:59.214Z","Sep 02 2020 11:48:49","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: Ibrahim1 Item Name: Ibrahim1 (Item Id: 22) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,22,Ibrahim1,,null,null,,,22,,,,User,Ibrahim1,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,22,Ibrahim1,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,AIbrahim,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T11:55:39.211Z","Sep 02 2020 11:55:29","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: Ibrahim1 Item Name: Ibrahim1 (Item Id: 22) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,22,Ibrahim1,,null,null,,,22,,,,User,Ibrahim1,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,22,Ibrahim1,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,AIbrahim,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T11:58:59.29Z","Sep 02 2020 11:58:53","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: Ibrahim1 Item Name: Ibrahim1 (Item Id: 22) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,22,Ibrahim1,,null,null,,,22,,,,User,Ibrahim1,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,22,Ibrahim1,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,AIbrahim,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T11:59:19.244Z","Sep 02 2020 11:59:16","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: dima1 Item Name: dima1 (Item Id: 17) ",,null,"188.163.82.22",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,17,dima1,,null,null,,,17,,,,User,dima1,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,17,dima1,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,"Murzak Dmitriy","suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T11:59:19.261Z","Sep 02 2020 11:59:16","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: dima1 Item Name: dima1 (Item Id: 17) ",,null,"188.163.82.22",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,17,dima1,,null,null,,,17,,,,User,dima1,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,17,dima1,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,"Murzak Dmitriy","suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:00:09.171Z","Sep 02 2020 12:00:00","Thycotic Software","Secret Server",10009,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Expired Today] By User: ThycoticSystem Item Name: 1 permission - edit for testing (Item Id: 10648) Container Name: valid secrets (Container Id: 196) ",,null,,,,,null,,,,,null,null,,"10.9.000000","SECRET - EXPIREDTODAY",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10648,,,,Secret,"1 permission - edit for testing",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,1,ThycoticSystem,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,"valid secrets",Folder,ThycoticSystem,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:00:09.196Z","Sep 02 2020 12:00:00","Thycotic Software","Secret Server",10009,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Expired Today] By User: ThycoticSystem Item Name: Cisco Account (SSH) q (Item Id: 10860) Container Name: AccForTests (Container Id: 197) ",,null,,,,,null,,,,,null,null,,"10.9.000000","SECRET - EXPIREDTODAY",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10860,,,,Secret,"Cisco Account (SSH) q",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,1,ThycoticSystem,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,AccForTests,Folder,ThycoticSystem,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:00:09.214Z","Sep 02 2020 12:00:00","Thycotic Software","Secret Server",10009,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Expired Today] By User: ThycoticSystem Item Name: Cisco Enable Secret (Telnet) (Item Id: 10861) Container Name: AccForTests (Container Id: 197) ",,null,,,,,null,,,,,null,null,,"10.9.000000","SECRET - EXPIREDTODAY",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10861,,,,Secret,"Cisco Enable Secret (Telnet)",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,1,ThycoticSystem,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,AccForTests,Folder,ThycoticSystem,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:00:09.241Z","Sep 02 2020 12:00:00","Thycotic Software","Secret Server",10009,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Expired Today] By User: ThycoticSystem Item Name: Generic Discovery Credentials (Item Id: 10868) Container Name: AccForTests (Container Id: 197) ",,null,,,,,null,,,,,null,null,,"10.9.000000","SECRET - EXPIREDTODAY",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10868,,,,Secret,"Generic Discovery Credentials",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,1,ThycoticSystem,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,AccForTests,Folder,ThycoticSystem,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:00:09.518Z","Sep 02 2020 12:00:00","Thycotic Software","Secret Server",10009,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Expired Today] By User: ThycoticSystem Item Name: Generic SQL Server Account q (Item Id: 10869) Container Name: AccForTests (Container Id: 197) ",,null,,,,,null,,,,,null,null,,"10.9.000000","SECRET - EXPIREDTODAY",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10869,,,,Secret,"Generic SQL Server Account q",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,1,ThycoticSystem,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,AccForTests,Folder,ThycoticSystem,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:00:09.542Z","Sep 02 2020 12:00:00","Thycotic Software","Secret Server",10009,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Expired Today] By User: ThycoticSystem Item Name: HP iLO Account (SSH) (Item Id: 10872) Container Name: AccForTests (Container Id: 197) ",,null,,,,,null,,,,,null,null,,"10.9.000000","SECRET - EXPIREDTODAY",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10872,,,,Secret,"HP iLO Account (SSH)",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,1,ThycoticSystem,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,AccForTests,Folder,ThycoticSystem,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:00:09.57Z","Sep 02 2020 12:00:00","Thycotic Software","Secret Server",10009,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Expired Today] By User: ThycoticSystem Item Name: IBM iSeries Mainframe q (Item Id: 10873) Container Name: AccForTests (Container Id: 197) ",,null,,,,,null,,,,,null,null,,"10.9.000000","SECRET - EXPIREDTODAY",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10873,,,,Secret,"IBM iSeries Mainframe q",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,1,ThycoticSystem,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,AccForTests,Folder,ThycoticSystem,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:00:09.598Z","Sep 02 2020 12:00:00","Thycotic Software","Secret Server",10009,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Expired Today] By User: ThycoticSystem Item Name: Ldap (Active Directory) q (Item Id: 10874) Container Name: AccForTests (Container Id: 197) ",,null,,,,,null,,,,,null,null,,"10.9.000000","SECRET - EXPIREDTODAY",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10874,,,,Secret,"Ldap (Active Directory) q",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,1,ThycoticSystem,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,AccForTests,Folder,ThycoticSystem,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:00:09.635Z","Sep 02 2020 12:00:00","Thycotic Software","Secret Server",10009,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Expired Today] By User: ThycoticSystem Item Name: MySql Account q (Item Id: 10875) Container Name: AccForTests (Container Id: 197) ",,null,,,,,null,,,,,null,null,,"10.9.000000","SECRET - EXPIREDTODAY",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10875,,,,Secret,"MySql Account q",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,1,ThycoticSystem,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,AccForTests,Folder,ThycoticSystem,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:00:09.662Z","Sep 02 2020 12:00:00","Thycotic Software","Secret Server",10009,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Expired Today] By User: ThycoticSystem Item Name: Office365 Account q (Item Id: 10876) Container Name: AccForTests (Container Id: 197) ",,null,,,,,null,,,,,null,null,,"10.9.000000","SECRET - EXPIREDTODAY",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10876,,,,Secret,"Office365 Account q",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,1,ThycoticSystem,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,AccForTests,Folder,ThycoticSystem,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:00:09.681Z","Sep 02 2020 12:00:00","Thycotic Software","Secret Server",10009,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Expired Today] By User: ThycoticSystem Item Name: OpenLDAP Account q (Item Id: 10877) Container Name: AccForTests (Container Id: 197) ",,null,,,,,null,,,,,null,null,,"10.9.000000","SECRET - EXPIREDTODAY",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10877,,,,Secret,"OpenLDAP Account q",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,1,ThycoticSystem,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,AccForTests,Folder,ThycoticSystem,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:00:09.71Z","Sep 02 2020 12:00:00","Thycotic Software","Secret Server",10009,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Expired Today] By User: ThycoticSystem Item Name: Oracle Account (Item Id: 10878) Container Name: AccForTests (Container Id: 197) ",,null,,,,,null,,,,,null,null,,"10.9.000000","SECRET - EXPIREDTODAY",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10878,,,,Secret,"Oracle Account",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,1,ThycoticSystem,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,AccForTests,Folder,ThycoticSystem,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:00:09.743Z","Sep 02 2020 12:00:00","Thycotic Software","Secret Server",10009,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Expired Today] By User: ThycoticSystem Item Name: Password q (Item Id: 10879) Container Name: AccForTests (Container Id: 197) ",,null,,,,,null,,,,,null,null,,"10.9.000000","SECRET - EXPIREDTODAY",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10879,,,,Secret,"Password q",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,1,ThycoticSystem,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,AccForTests,Folder,ThycoticSystem,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:00:09.768Z","Sep 02 2020 12:00:00","Thycotic Software","Secret Server",10009,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Expired Today] By User: ThycoticSystem Item Name: PowerShell Active Directory q (Item Id: 10882) Container Name: AccForTests (Container Id: 197) ",,null,,,,,null,,,,,null,null,,"10.9.000000","SECRET - EXPIREDTODAY",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10882,,,,Secret,"PowerShell Active Directory q",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,1,ThycoticSystem,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,AccForTests,Folder,ThycoticSystem,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:00:09.79Z","Sep 02 2020 12:00:00","Thycotic Software","Secret Server",10009,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Expired Today] By User: ThycoticSystem Item Name: SonicWall NSA Web Admin Account q (Item Id: 10888) Container Name: AccForTests (Container Id: 197) ",,null,,,,,null,,,,,null,null,,"10.9.000000","SECRET - EXPIREDTODAY",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10888,,,,Secret,"SonicWall NSA Web Admin Account q",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,1,ThycoticSystem,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,AccForTests,Folder,ThycoticSystem,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:00:09.818Z","Sep 02 2020 12:00:00","Thycotic Software","Secret Server",10009,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Expired Today] By User: ThycoticSystem Item Name: SonicWall NSA Web Local User Account q (Item Id: 10889) Container Name: AccForTests (Container Id: 197) ",,null,,,,,null,,,,,null,null,,"10.9.000000","SECRET - EXPIREDTODAY",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10889,,,,Secret,"SonicWall NSA Web Local User Account q",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,1,ThycoticSystem,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,AccForTests,Folder,ThycoticSystem,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:00:09.852Z","Sep 02 2020 12:00:00","Thycotic Software","Secret Server",10009,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Expired Today] By User: ThycoticSystem Item Name: SQL Server Account q (Item Id: 10890) Container Name: AccForTests (Container Id: 197) ",,null,,,,,null,,,,,null,null,,"10.9.000000","SECRET - EXPIREDTODAY",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10890,,,,Secret,"SQL Server Account q",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,1,ThycoticSystem,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,AccForTests,Folder,ThycoticSystem,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:00:09.886Z","Sep 02 2020 12:00:00","Thycotic Software","Secret Server",10009,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Expired Today] By User: ThycoticSystem Item Name: Sybase Account q (Item Id: 10893) Container Name: AccForTests (Container Id: 197) ",,null,,,,,null,,,,,null,null,,"10.9.000000","SECRET - EXPIREDTODAY",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10893,,,,Secret,"Sybase Account q",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,1,ThycoticSystem,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,AccForTests,Folder,ThycoticSystem,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:00:09.911Z","Sep 02 2020 12:00:00","Thycotic Software","Secret Server",10009,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Expired Today] By User: ThycoticSystem Item Name: VMware ESX/ESXi q (Item Id: 10903) Container Name: AccForTests (Container Id: 197) ",,null,,,,,null,,,,,null,null,,"10.9.000000","SECRET - EXPIREDTODAY",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10903,,,,Secret,"VMware ESX/ESXi q",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,1,ThycoticSystem,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,AccForTests,Folder,ThycoticSystem,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:00:09.939Z","Sep 02 2020 12:00:00","Thycotic Software","Secret Server",10009,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Expired Today] By User: ThycoticSystem Item Name: WatchGuard q (Item Id: 10905) Container Name: AccForTests (Container Id: 197) ",,null,,,,,null,,,,,null,null,,"10.9.000000","SECRET - EXPIREDTODAY",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10905,,,,Secret,"WatchGuard q",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,1,ThycoticSystem,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,AccForTests,Folder,ThycoticSystem,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:00:09.959Z","Sep 02 2020 12:00:00","Thycotic Software","Secret Server",10009,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Expired Today] By User: ThycoticSystem Item Name: 2 permission - view (Item Id: 10931) ",,null,,,,,null,,,,,null,null,,"10.9.000000","SECRET - EXPIREDTODAY",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10931,,,,Secret,"2 permission - view",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,1,ThycoticSystem,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,ThycoticSystem,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:00:09.98Z","Sep 02 2020 12:00:00","Thycotic Software","Secret Server",10009,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Expired Today] By User: ThycoticSystem Item Name: tryterureu (Item Id: 10933) Container Name: new folder (Container Id: 231) ",,null,,,,,null,,,,,null,null,,"10.9.000000","SECRET - EXPIREDTODAY",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10933,,,,Secret,tryterureu,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,1,ThycoticSystem,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,"new folder",Folder,ThycoticSystem,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:00:10.026Z","Sep 02 2020 12:00:00","Thycotic Software","Secret Server",10009,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Expired Today] By User: ThycoticSystem Item Name:  herht65i65i (Item Id: 10934) Container Name: Folder1 (Container Id: 260) ",,null,,,,,null,,,,,null,null,,"10.9.000000","SECRET - EXPIREDTODAY",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10934,,,,Secret," herht65i65i",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,1,ThycoticSystem,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,Folder1,Folder,ThycoticSystem,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:00:10.047Z","Sep 02 2020 12:00:00","Thycotic Software","Secret Server",10009,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Expired Today] By User: ThycoticSystem Item Name: vhh (Item Id: 10938) Container Name: sub-folder1 (Container Id: 218) ",,null,,,,,null,,,,,null,null,,"10.9.000000","SECRET - EXPIREDTODAY",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10938,,,,Secret,vhh,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,1,ThycoticSystem,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,"sub-folder1",Folder,ThycoticSystem,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:00:10.073Z","Sep 02 2020 12:00:00","Thycotic Software","Secret Server",10009,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Expired Today] By User: ThycoticSystem Item Name: ifufuguvuvuv (Item Id: 10939) ",,null,,,,,null,,,,,null,null,,"10.9.000000","SECRET - EXPIREDTODAY",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10939,,,,Secret,ifufuguvuvuv,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,1,ThycoticSystem,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,ThycoticSystem,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:00:10.091Z","Sep 02 2020 12:00:00","Thycotic Software","Secret Server",10009,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Expired Today] By User: ThycoticSystem Item Name: shsbksbs (Item Id: 10940) ",,null,,,,,null,,,,,null,null,,"10.9.000000","SECRET - EXPIREDTODAY",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10940,,,,Secret,shsbksbs,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,1,ThycoticSystem,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,ThycoticSystem,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:00:10.105Z","Sep 02 2020 12:00:00","Thycotic Software","Secret Server",10009,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Expired Today] By User: ThycoticSystem Item Name: khoateating dkdn (Item Id: 10942) ",,null,,,,,null,,,,,null,null,,"10.9.000000","SECRET - EXPIREDTODAY",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10942,,,,Secret,"khoateating dkdn",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,1,ThycoticSystem,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,ThycoticSystem,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:00:10.137Z","Sep 02 2020 12:00:00","Thycotic Software","Secret Server",10009,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Expired Today] By User: ThycoticSystem Item Name: hjjbccch (Item Id: 10943) ",,null,,,,,null,,,,,null,null,,"10.9.000000","SECRET - EXPIREDTODAY",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10943,,,,Secret,hjjbccch,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,1,ThycoticSystem,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,ThycoticSystem,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:00:10.217Z","Sep 02 2020 12:00:00","Thycotic Software","Secret Server",10010,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Expires in 1 Day] By User: ThycoticSystem Item Name: 1 permission - owner for testing (Item Id: 10945) Container Name: valid secrets (Container Id: 196) ",,null,,,,,null,,,,,null,null,,"10.9.000000","SECRET - EXPIRES01DAY",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10945,,,,Secret,"1 permission - owner for testing",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,1,ThycoticSystem,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,"valid secrets",Folder,ThycoticSystem,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:00:10.251Z","Sep 02 2020 12:00:00","Thycotic Software","Secret Server",10010,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Expires in 1 Day] By User: ThycoticSystem Item Name: Active Directory test (Item Id: 10950) Container Name: Folder1 (Container Id: 260) ",,null,,,,,null,,,,,null,null,,"10.9.000000","SECRET - EXPIRES01DAY",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10950,,,,Secret,"Active Directory test",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,1,ThycoticSystem,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,Folder1,Folder,ThycoticSystem,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:00:10.282Z","Sep 02 2020 12:00:00","Thycotic Software","Secret Server",10010,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Expires in 1 Day] By User: ThycoticSystem Item Name:  Secret test (Item Id: 10952) Container Name: Folder1 (Container Id: 260) ",,null,,,,,null,,,,,null,null,,"10.9.000000","SECRET - EXPIRES01DAY",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10952,,,,Secret," Secret test",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,1,ThycoticSystem,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,Folder1,Folder,ThycoticSystem,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:00:10.303Z","Sep 02 2020 12:00:00","Thycotic Software","Secret Server",10013,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Expires in 3 Days] By User: ThycoticSystem Item Name: andy33 (Item Id: 10377) Container Name: Max (Container Id: 25) ",,null,,,,,null,,,,,null,null,,"10.9.000000","SECRET - EXPIRES03DAYS",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10377,,,,Secret,andy33,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,1,ThycoticSystem,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,Max,Folder,ThycoticSystem,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:00:10.354Z","Sep 02 2020 12:00:00","Thycotic Software","Secret Server",10013,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Expires in 3 Days] By User: ThycoticSystem Item Name:  CiscoVpn2 (Item Id: 10932) Container Name: Folder1 (Container Id: 260) ",,null,,,,,null,,,,,null,null,,"10.9.000000","SECRET - EXPIRES03DAYS",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10932,,,,Secret," CiscoVpn2",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,1,ThycoticSystem,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,Folder1,Folder,ThycoticSystem,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:00:10.385Z","Sep 02 2020 12:00:00","Thycotic Software","Secret Server",10013,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Expires in 3 Days] By User: ThycoticSystem Item Name: guj (Item Id: 10955) ",,null,,,,,null,,,,,null,null,,"10.9.000000","SECRET - EXPIRES03DAYS",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10955,,,,Secret,guj,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,1,ThycoticSystem,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,ThycoticSystem,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:00:10.402Z","Sep 02 2020 12:00:00","Thycotic Software","Secret Server",10013,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Expires in 3 Days] By User: ThycoticSystem Item Name: dhfdshfd (Item Id: 10956) ",,null,,,,,null,,,,,null,null,,"10.9.000000","SECRET - EXPIRES03DAYS",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10956,,,,Secret,dhfdshfd,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,1,ThycoticSystem,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,ThycoticSystem,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:00:10.441Z","Sep 02 2020 12:00:00","Thycotic Software","Secret Server",10013,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Expires in 3 Days] By User: ThycoticSystem Item Name: ghbj (Item Id: 10957) ",,null,,,,,null,,,,,null,null,,"10.9.000000","SECRET - EXPIRES03DAYS",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10957,,,,Secret,ghbj,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,1,ThycoticSystem,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,ThycoticSystem,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:00:10.479Z","Sep 02 2020 12:00:00","Thycotic Software","Secret Server",10013,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Expires in 3 Days] By User: ThycoticSystem Item Name: secret name warner (Item Id: 10959) Container Name: .  (Container Id: 71) ",,null,,,,,null,,,,,null,null,,"10.9.000000","SECRET - EXPIRES03DAYS",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10959,,,,Secret,"secret name warner",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,1,ThycoticSystem,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,". ",Folder,ThycoticSystem,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:00:10.51Z","Sep 02 2020 12:00:00","Thycotic Software","Secret Server",10011,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Expires in 7 Days] By User: ThycoticSystem Item Name: testing (Item Id: 10973) ",,null,,,,,null,,,,,null,null,,"10.9.000000","SECRET - EXPIRES07DAYS",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10973,,,,Secret,testing,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,1,ThycoticSystem,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,ThycoticSystem,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:00:10.541Z","Sep 02 2020 12:00:00","Thycotic Software","Secret Server",10011,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Expires in 7 Days] By User: ThycoticSystem Item Name: dgfdgdfg (Item Id: 10974) Container Name: ZOleg (Container Id: 45) ",,null,,,,,null,,,,,null,null,,"10.9.000000","SECRET - EXPIRES07DAYS",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10974,,,,Secret,dgfdgdfg,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,1,ThycoticSystem,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,ZOleg,Folder,ThycoticSystem,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:00:10.579Z","Sep 02 2020 12:00:00","Thycotic Software","Secret Server",10011,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Expires in 7 Days] By User: ThycoticSystem Item Name: gh (Item Id: 10975) Container Name: AccForTests (Container Id: 197) ",,null,,,,,null,,,,,null,null,,"10.9.000000","SECRET - EXPIRES07DAYS",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10975,,,,Secret,gh,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,1,ThycoticSystem,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,AccForTests,Folder,ThycoticSystem,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:00:10.6Z","Sep 02 2020 12:00:00","Thycotic Software","Secret Server",10012,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Expires in 15 Days] By User: ThycoticSystem Item Name: test (Item Id: 11030) ",,null,,,,,null,,,,,null,null,,"10.9.000000","SECRET - EXPIRES15DAYS",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,11030,,,,Secret,test,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,1,ThycoticSystem,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,ThycoticSystem,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:00:10.621Z","Sep 02 2020 12:00:00","Thycotic Software","Secret Server",10012,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Expires in 15 Days] By User: ThycoticSystem Item Name: gij (Item Id: 11031) ",,null,,,,,null,,,,,null,null,,"10.9.000000","SECRET - EXPIRES15DAYS",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,11031,,,,Secret,gij,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,1,ThycoticSystem,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,ThycoticSystem,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:00:10.65Z","Sep 02 2020 12:00:00","Thycotic Software","Secret Server",10012,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Expires in 15 Days] By User: ThycoticSystem Item Name: d (Item Id: 11033) ",,null,,,,,null,,,,,null,null,,"10.9.000000","SECRET - EXPIRES15DAYS",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,11033,,,,Secret,d,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,1,ThycoticSystem,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,ThycoticSystem,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:00:10.667Z","Sep 02 2020 12:00:00","Thycotic Software","Secret Server",10012,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Expires in 15 Days] By User: ThycoticSystem Item Name: Enter (Item Id: 11034) ",,null,,,,,null,,,,,null,null,,"10.9.000000","SECRET - EXPIRES15DAYS",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,11034,,,,Secret,Enter,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,1,ThycoticSystem,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,ThycoticSystem,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:00:10.705Z","Sep 02 2020 12:00:00","Thycotic Software","Secret Server",10094,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Expires in 30 Days] By User: ThycoticSystem Item Name: 2 (Item Id: 10342) Container Name: Max (Container Id: 25) ",,null,,,,,null,,,,,null,null,,"10.9.000000","SECRET - EXPIRES30DAYS",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10342,,,,Secret,2,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,1,ThycoticSystem,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,Max,Folder,ThycoticSystem,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:00:10.724Z","Sep 02 2020 12:00:00","Thycotic Software","Secret Server",10094,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Expires in 30 Days] By User: ThycoticSystem Item Name:    dhfdshfdsh (Item Id: 11099) Container Name: Folder3s23xyjyh (Container Id: 265) ",,null,,,,,null,,,,,null,null,,"10.9.000000","SECRET - EXPIRES30DAYS",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,11099,,,,Secret,"   dhfdshfdsh",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,1,ThycoticSystem,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,Folder3s23xyjyh,Folder,ThycoticSystem,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:00:10.762Z","Sep 02 2020 12:00:00","Thycotic Software","Secret Server",10094,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Expires in 30 Days] By User: ThycoticSystem Item Name:     ktukuytk (Item Id: 11100) Container Name: Folder3s23xyjyh (Container Id: 265) ",,null,,,,,null,,,,,null,null,,"10.9.000000","SECRET - EXPIRES30DAYS",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,11100,,,,Secret,"    ktukuytk",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,1,ThycoticSystem,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,Folder3s23xyjyh,Folder,ThycoticSystem,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:38:39.303Z","Sep 02 2020 12:38:31","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: max Item Name: max (Item Id: 4) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,4,max,,null,null,,,4,,,,User,max,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,4,max,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,Max,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:38:49.405Z","Sep 02 2020 12:38:47","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: Ibrahim1 Item Name: Ibrahim1 (Item Id: 22) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,22,Ibrahim1,,null,null,,,22,,,,User,Ibrahim1,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,22,Ibrahim1,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,AIbrahim,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:38:59.324Z","Sep 02 2020 12:38:55","Thycotic Software","Secret Server",10039,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Password Displayed] By User: max Item Name: RDP + SSH PROXY (Item Id: 11022) Container Name: RDP (Container Id: 32) Details:  Fields: (Password)",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","SECRET - PASSWORD_DISPLAYED",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,11022,,,,Secret,"RDP + SSH PROXY",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,4,max,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,RDP,Folder,Max,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:39:09.268Z","Sep 02 2020 12:39:03","Thycotic Software","Secret Server",10006,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Launch] By User: max Item Name: RDP + SSH PROXY (Item Id: 11022) Container Name: RDP (Container Id: 32) Details:  Remote Desktop - test",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","SECRET - LAUNCH",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,11022,,,,Secret,"RDP + SSH PROXY",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,4,max,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,RDP,Folder,Max,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:39:09.287Z","Sep 02 2020 12:39:07","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: Ibrahim1 Item Name: Ibrahim1 (Item Id: 22) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,22,Ibrahim1,,null,null,,,22,,,,User,Ibrahim1,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,22,Ibrahim1,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,AIbrahim,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:39:09.314Z","Sep 02 2020 12:39:07","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: Ibrahim1 Item Name: Ibrahim1 (Item Id: 22) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,22,Ibrahim1,,null,null,,,22,,,,User,Ibrahim1,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,22,Ibrahim1,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,AIbrahim,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:39:29.264Z","Sep 02 2020 12:39:26","Thycotic Software","Secret Server",10004,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [View] By User: Ibrahim1 Item Name:    khgk (Item Id: 11097) Container Name: Folder3s23xyjyh (Container Id: 265) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","SECRET - VIEW",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,11097,,,,Secret,"   khgk",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,22,Ibrahim1,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,Folder3s23xyjyh,Folder,AIbrahim,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:39:29.299Z","Sep 02 2020 12:39:26","Thycotic Software","Secret Server",10039,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Password Displayed] By User: Ibrahim1 Item Name:    khgk (Item Id: 11097) Container Name: Folder3s23xyjyh (Container Id: 265) Details:  Fields: (Password)",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","SECRET - PASSWORD_DISPLAYED",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,11097,,,,Secret,"   khgk",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,22,Ibrahim1,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,Folder3s23xyjyh,Folder,AIbrahim,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:39:39.148Z","Sep 02 2020 12:39:31","Thycotic Software","Secret Server",10004,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [View] By User: Ibrahim1 Item Name:    rujytrjuyt (Item Id: 11096) Container Name: Folder3s23xyjyh (Container Id: 265) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","SECRET - VIEW",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,11096,,,,Secret,"   rujytrjuyt",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,22,Ibrahim1,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,Folder3s23xyjyh,Folder,AIbrahim,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:39:39.184Z","Sep 02 2020 12:39:31","Thycotic Software","Secret Server",10039,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Password Displayed] By User: Ibrahim1 Item Name:    rujytrjuyt (Item Id: 11096) Container Name: Folder3s23xyjyh (Container Id: 265) Details:  Fields: (Password)",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","SECRET - PASSWORD_DISPLAYED",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,11096,,,,Secret,"   rujytrjuyt",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,22,Ibrahim1,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,Folder3s23xyjyh,Folder,AIbrahim,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:40:19.245Z","Sep 02 2020 12:40:12","Thycotic Software","Secret Server",10004,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [View] By User: max Item Name: RDP Proxy (Item Id: 10349) Container Name: RDP (Container Id: 32) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","SECRET - VIEW",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10349,,,,Secret,"RDP Proxy",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,4,max,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,RDP,Folder,Max,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:40:19.286Z","Sep 02 2020 12:40:12","Thycotic Software","Secret Server",10039,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Password Displayed] By User: max Item Name: RDP Proxy (Item Id: 10349) Container Name: RDP (Container Id: 32) Details:  Fields: (Password)",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","SECRET - PASSWORD_DISPLAYED",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10349,,,,Secret,"RDP Proxy",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,4,max,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,RDP,Folder,Max,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:40:19.319Z","Sep 02 2020 12:40:17","Thycotic Software","Secret Server",10006,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Launch] By User: max Item Name: RDP Proxy (Item Id: 10349) Container Name: RDP (Container Id: 32) Details:  Remote Desktop",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","SECRET - LAUNCH",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10349,,,,Secret,"RDP Proxy",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,4,max,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,RDP,Folder,Max,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:40:29.26Z","Sep 02 2020 12:40:25","Thycotic Software","Secret Server",10004,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [View] By User: Ibrahim1 Item Name:     ktukuytk (Item Id: 11100) Container Name: Folder3s23xyjyh (Container Id: 265) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","SECRET - VIEW",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,11100,,,,Secret,"    ktukuytk",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,22,Ibrahim1,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,Folder3s23xyjyh,Folder,AIbrahim,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:40:29.317Z","Sep 02 2020 12:40:25","Thycotic Software","Secret Server",10039,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Password Displayed] By User: Ibrahim1 Item Name:     ktukuytk (Item Id: 11100) Container Name: Folder3s23xyjyh (Container Id: 265) Details:  Fields: (Password)",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","SECRET - PASSWORD_DISPLAYED",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,11100,,,,Secret,"    ktukuytk",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,22,Ibrahim1,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,Folder3s23xyjyh,Folder,AIbrahim,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:40:29.352Z","Sep 02 2020 12:40:26","Thycotic Software","Secret Server",10004,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [View] By User: max Item Name: RDP (1920x1080) (Item Id: 10325) Container Name: RDP (Container Id: 32) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","SECRET - VIEW",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10325,,,,Secret,"RDP (1920x1080)",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,4,max,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,RDP,Folder,Max,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:40:29.396Z","Sep 02 2020 12:40:26","Thycotic Software","Secret Server",10039,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Password Displayed] By User: max Item Name: RDP (1920x1080) (Item Id: 10325) Container Name: RDP (Container Id: 32) Details:  Fields: (Password)",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","SECRET - PASSWORD_DISPLAYED",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10325,,,,Secret,"RDP (1920x1080)",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,4,max,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,RDP,Folder,Max,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:40:39.296Z","Sep 02 2020 12:40:30","Thycotic Software","Secret Server",10006,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Launch] By User: max Item Name: RDP (1920x1080) (Item Id: 10325) Container Name: RDP (Container Id: 32) Details:  Remote Desktop",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","SECRET - LAUNCH",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10325,,,,Secret,"RDP (1920x1080)",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,4,max,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,RDP,Folder,Max,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:40:59.134Z","Sep 02 2020 12:40:50","Thycotic Software","Secret Server",10019,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Session Recording View] By User: ThycoticSystem Item Name: RDP (1920x1080) (Item Id: 10325) Container Name: RDP (Container Id: 32) Details:  Session Recording (0:00) on 09/02/2020 12:40 PM by Max",,null,,,,,null,,,,,null,null,,"10.9.000000","SECRET - SESSION RECORDING VIEW",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10325,,,,Secret,"RDP (1920x1080)",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,1,ThycoticSystem,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,RDP,Folder,ThycoticSystem,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:40:59.152Z","Sep 02 2020 12:40:52","Thycotic Software","Secret Server",10006,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Launch] By User: max Item Name: RDP (1920x1080) (Item Id: 10325) Container Name: RDP (Container Id: 32) Details:  Remote Desktop",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","SECRET - LAUNCH",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10325,,,,Secret,"RDP (1920x1080)",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,4,max,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,RDP,Folder,Max,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:48:29.154Z","Sep 02 2020 12:48:26","Thycotic Software","Secret Server",10004,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [View] By User: Ibrahim1 Item Name:     ktukuytk (Item Id: 11100) Container Name: Folder3s23xyjyh (Container Id: 265) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","SECRET - VIEW",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,11100,,,,Secret,"    ktukuytk",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,22,Ibrahim1,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,Folder3s23xyjyh,Folder,AIbrahim,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:48:29.188Z","Sep 02 2020 12:48:26","Thycotic Software","Secret Server",10039,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Password Displayed] By User: Ibrahim1 Item Name:     ktukuytk (Item Id: 11100) Container Name: Folder3s23xyjyh (Container Id: 265) Details:  Fields: (Password)",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","SECRET - PASSWORD_DISPLAYED",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,11100,,,,Secret,"    ktukuytk",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,22,Ibrahim1,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,Folder3s23xyjyh,Folder,AIbrahim,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:49:19.583Z","Sep 02 2020 12:49:15","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: Ibrahim1 Item Name: Ibrahim1 (Item Id: 22) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,22,Ibrahim1,,null,null,,,22,,,,User,Ibrahim1,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,22,Ibrahim1,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,AIbrahim,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:50:39.231Z","Sep 02 2020 12:50:31","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: Ibrahim1 Item Name: Ibrahim1 (Item Id: 22) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,22,Ibrahim1,,null,null,,,22,,,,User,Ibrahim1,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,22,Ibrahim1,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,AIbrahim,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:53:39.182Z","Sep 02 2020 12:53:34","Thycotic Software","Secret Server",10004,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [View] By User: Ibrahim1 Item Name:     ktukuytk (Item Id: 11100) Container Name: Folder3s23xyjyh (Container Id: 265) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","SECRET - VIEW",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,11100,,,,Secret,"    ktukuytk",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,22,Ibrahim1,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,Folder3s23xyjyh,Folder,AIbrahim,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:53:39.216Z","Sep 02 2020 12:53:34","Thycotic Software","Secret Server",10039,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Password Displayed] By User: Ibrahim1 Item Name:     ktukuytk (Item Id: 11100) Container Name: Folder3s23xyjyh (Container Id: 265) Details:  Fields: (Password)",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","SECRET - PASSWORD_DISPLAYED",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,11100,,,,Secret,"    ktukuytk",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,22,Ibrahim1,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,Folder3s23xyjyh,Folder,AIbrahim,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T12:55:59.144Z","Sep 02 2020 12:55:50","Thycotic Software","Secret Server",10019,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Session Recording View] By User: ThycoticSystem Item Name: RDP (1920x1080) (Item Id: 10325) Container Name: RDP (Container Id: 32) Details:  Session Recording (0:00) on 09/02/2020 12:40 PM by Max",,null,,,,,null,,,,,null,null,,"10.9.000000","SECRET - SESSION RECORDING VIEW",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10325,,,,Secret,"RDP (1920x1080)",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,1,ThycoticSystem,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,RDP,Folder,ThycoticSystem,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T13:06:09.162Z","Sep 02 2020 13:06:09","Thycotic Software","Secret Server",10004,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [View] By User: max Item Name: RDP (no custom window size) (Item Id: 10473) Container Name: RDP (Container Id: 32) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","SECRET - VIEW",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10473,,,,Secret,"RDP (no custom window size)",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,4,max,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,RDP,Folder,Max,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T13:06:19.157Z","Sep 02 2020 13:06:13","Thycotic Software","Secret Server",10006,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Launch] By User: max Item Name: RDP (no custom window size) (Item Id: 10473) Container Name: RDP (Container Id: 32) Details:  Remote Desktop",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","SECRET - LAUNCH",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10473,,,,Secret,"RDP (no custom window size)",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,4,max,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,RDP,Folder,Max,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T09:54:49.395Z","Sep 02 2020 09:54:47","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: Ibrahim1 Item Name: Ibrahim1 (Item Id: 22) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,22,Ibrahim1,,null,null,,,22,,,,User,Ibrahim1,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,22,Ibrahim1,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,AIbrahim,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T09:54:59.151Z","Sep 02 2020 09:54:55","Thycotic Software","Secret Server",10004,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [View] By User: Ibrahim1 Item Name:     ktukuytk (Item Id: 11100) Container Name: Folder3s23xyjyh (Container Id: 265) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","SECRET - VIEW",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,11100,,,,Secret,"    ktukuytk",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,22,Ibrahim1,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,Folder3s23xyjyh,Folder,AIbrahim,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T09:54:59.185Z","Sep 02 2020 09:54:55","Thycotic Software","Secret Server",10039,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Password Displayed] By User: Ibrahim1 Item Name:     ktukuytk (Item Id: 11100) Container Name: Folder3s23xyjyh (Container Id: 265) Details:  Fields: (Password)",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","SECRET - PASSWORD_DISPLAYED",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,11100,,,,Secret,"    ktukuytk",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,22,Ibrahim1,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,Folder3s23xyjyh,Folder,AIbrahim,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T09:58:09.263Z","Sep 02 2020 09:58:01","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: oleg1 Item Name: oleg1 (Item Id: 11) ",,null,"93.74.172.249",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,11,oleg1,,null,null,,,11,,,,User,oleg1,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,11,oleg1,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,ZOleg,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T09:58:09.284Z","Sep 02 2020 09:58:07","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: Ibrahim1 Item Name: Ibrahim1 (Item Id: 22) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,22,Ibrahim1,,null,null,,,22,,,,User,Ibrahim1,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,22,Ibrahim1,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,AIbrahim,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T10:07:39.235Z","Sep 02 2020 10:07:30","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: max Item Name: max (Item Id: 4) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,4,max,,null,null,,,4,,,,User,max,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,4,max,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,Max,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T10:08:09.206Z","Sep 02 2020 10:08:06","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: oleg1 Item Name: oleg1 (Item Id: 11) ",,null,"93.74.172.249",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,11,oleg1,,null,null,,,11,,,,User,oleg1,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,11,oleg1,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,ZOleg,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T10:08:19.228Z","Sep 02 2020 10:08:11","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: Ibrahim1 Item Name: Ibrahim1 (Item Id: 22) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,22,Ibrahim1,,null,null,,,22,,,,User,Ibrahim1,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,22,Ibrahim1,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,AIbrahim,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T10:38:19.312Z","Sep 02 2020 10:38:18","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: oleg1 Item Name: oleg1 (Item Id: 11) ",,null,"93.74.172.249",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,11,oleg1,,null,null,,,11,,,,User,oleg1,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,11,oleg1,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,ZOleg,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T10:38:29.306Z","Sep 02 2020 10:38:22","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: Ibrahim1 Item Name: Ibrahim1 (Item Id: 22) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,22,Ibrahim1,,null,null,,,22,,,,User,Ibrahim1,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,22,Ibrahim1,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,AIbrahim,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T10:38:39.328Z","Sep 02 2020 10:38:34","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: max Item Name: max (Item Id: 4) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,4,max,,null,null,,,4,,,,User,max,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,4,max,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,Max,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T10:40:09.183Z","Sep 02 2020 10:40:07","Thycotic Software","Secret Server",10004,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [View] By User: max Item Name: W1\W1 (Item Id: 10390) Container Name: Max (Container Id: 25) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","SECRET - VIEW",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10390,,,,Secret,"W1\W1",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,4,max,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,Max,Folder,Max,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T10:40:09.376Z","Sep 02 2020 10:40:07","Thycotic Software","Secret Server",10039,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Password Displayed] By User: max Item Name: W1\W1 (Item Id: 10390) Container Name: Max (Container Id: 25) Details:  Fields: (Password)",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","SECRET - PASSWORD_DISPLAYED",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10390,,,,Secret,"W1\W1",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,4,max,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,Max,Folder,Max,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T10:41:49.28Z","Sep 02 2020 10:41:43","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: dima1 Item Name: dima1 (Item Id: 17) ",,null,"188.163.82.22",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,17,dima1,,null,null,,,17,,,,User,dima1,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,17,dima1,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,"Murzak Dmitriy","suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T10:41:49.303Z","Sep 02 2020 10:41:43","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: AppAccount Item Name: AppAccount (Item Id: 10) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,10,AppAccount,,null,null,,,10,,,,User,AppAccount,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,10,AppAccount,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,AppAccount,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T10:41:49.331Z","Sep 02 2020 10:41:43","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: dima1 Item Name: dima1 (Item Id: 17) ",,null,"188.163.82.22",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,17,dima1,,null,null,,,17,,,,User,dima1,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,17,dima1,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,"Murzak Dmitriy","suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T10:41:49.36Z","Sep 02 2020 10:41:43","Thycotic Software","Secret Server",10004,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [View] By User: AppAccount Item Name: 2 (Item Id: 10342) Container Name: Max (Container Id: 25) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","SECRET - VIEW",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10342,,,,Secret,2,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,10,AppAccount,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,Max,Folder,AppAccount,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T10:41:49.424Z","Sep 02 2020 10:41:43","Thycotic Software","Secret Server",10039,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Password Displayed] By User: AppAccount Item Name: 2 (Item Id: 10342) Container Name: Max (Container Id: 25) Details:  Fields: (Password)",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","SECRET - PASSWORD_DISPLAYED",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10342,,,,Secret,2,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,10,AppAccount,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,Max,Folder,AppAccount,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T10:42:19.259Z","Sep 02 2020 10:42:12","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: max Item Name: max (Item Id: 4) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,4,max,,null,null,,,4,,,,User,max,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,4,max,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,Max,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T10:43:39.213Z","Sep 02 2020 10:43:35","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: AppAccount Item Name: AppAccount (Item Id: 10) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,10,AppAccount,,null,null,,,10,,,,User,AppAccount,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,10,AppAccount,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,AppAccount,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T10:44:39.256Z","Sep 02 2020 10:44:31","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: AppAccount Item Name: AppAccount (Item Id: 10) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,10,AppAccount,,null,null,,,10,,,,User,AppAccount,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,10,AppAccount,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,AppAccount,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T10:44:39.276Z","Sep 02 2020 10:44:31","Thycotic Software","Secret Server",10004,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [View] By User: AppAccount Item Name: TestADSecret (Item Id: 10340) Container Name: Max (Container Id: 25) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","SECRET - VIEW",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10340,,,,Secret,TestADSecret,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,10,AppAccount,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,Max,Folder,AppAccount,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T10:44:39.346Z","Sep 02 2020 10:44:32","Thycotic Software","Secret Server",10039,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Password Displayed] By User: AppAccount Item Name: TestADSecret (Item Id: 10340) Container Name: Max (Container Id: 25) Details:  Fields: (Password)",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","SECRET - PASSWORD_DISPLAYED",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10340,,,,Secret,TestADSecret,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,10,AppAccount,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,Max,Folder,AppAccount,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T10:44:49.177Z","Sep 02 2020 10:44:40","Thycotic Software","Secret Server",10004,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [View] By User: max Item Name: TestADSecret (Item Id: 10340) Container Name: Max (Container Id: 25) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","SECRET - VIEW",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10340,,,,Secret,TestADSecret,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,4,max,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,Max,Folder,Max,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T10:44:59.175Z","Sep 02 2020 10:44:51","Thycotic Software","Secret Server",10004,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [View] By User: max Item Name: 2 (Item Id: 10342) Container Name: Max (Container Id: 25) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","SECRET - VIEW",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10342,,,,Secret,2,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,4,max,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,Max,Folder,Max,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T10:45:09.216Z","Sep 02 2020 10:45:01","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: Ibrahim1 Item Name: Ibrahim1 (Item Id: 22) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,22,Ibrahim1,,null,null,,,22,,,,User,Ibrahim1,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,22,Ibrahim1,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,AIbrahim,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T10:45:29.302Z","Sep 02 2020 10:45:21","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: AppAccount Item Name: AppAccount (Item Id: 10) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,10,AppAccount,,null,null,,,10,,,,User,AppAccount,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,10,AppAccount,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,AppAccount,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T10:10:39.209Z","Sep 02 2020 10:10:37","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: dima1 Item Name: dima1 (Item Id: 17) ",,null,"188.163.82.22",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,17,dima1,,null,null,,,17,,,,User,dima1,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,17,dima1,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,"Murzak Dmitriy","suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T10:10:39.231Z","Sep 02 2020 10:10:37","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: dima1 Item Name: dima1 (Item Id: 17) ",,null,"188.163.82.22",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,17,dima1,,null,null,,,17,,,,User,dima1,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,17,dima1,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,"Murzak Dmitriy","suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T10:10:59.451Z","Sep 02 2020 10:10:50","Thycotic Software","Secret Server",10145,2,,,,,,,null,,,,"[[SecretServer]] Event: [Domain] Action: [Synchronize] By User: ThycoticSystem Details:  Active Directory Sync Initiated",,null,,,,,null,,,,,null,null,,"10.9.000000","DOMAIN - SYNCHRONIZE",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,,,,,,,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,1,ThycoticSystem,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,ThycoticSystem,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T10:14:49.27Z","Sep 02 2020 10:14:48","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: Ibrahim1 Item Name: Ibrahim1 (Item Id: 22) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,22,Ibrahim1,,null,null,,,22,,,,User,Ibrahim1,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,22,Ibrahim1,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,AIbrahim,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T10:18:19.219Z","Sep 02 2020 10:18:10","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: oleg1 Item Name: oleg1 (Item Id: 11) ",,null,"93.74.172.249",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,11,oleg1,,null,null,,,11,,,,User,oleg1,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,11,oleg1,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,ZOleg,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T10:18:19.237Z","Sep 02 2020 10:18:15","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: Ibrahim1 Item Name: Ibrahim1 (Item Id: 22) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,22,Ibrahim1,,null,null,,,22,,,,User,Ibrahim1,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,22,Ibrahim1,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,AIbrahim,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T11:08:19.284Z","Sep 02 2020 11:08:19","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: testing Item Name: testing (Item Id: 18) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,18,testing,,null,null,,,18,,,,User,testing,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,18,testing,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,AccForTests,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T11:08:39.219Z","Sep 02 2020 11:08:34","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: Ibrahim1 Item Name: Ibrahim1 (Item Id: 22) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,22,Ibrahim1,,null,null,,,22,,,,User,Ibrahim1,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,22,Ibrahim1,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,AIbrahim,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T11:09:39.149Z","Sep 02 2020 11:09:35","Thycotic Software","Secret Server",10006,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Launch] By User: max Item Name: RDP Proxy (Item Id: 10349) Container Name: RDP (Container Id: 32) Details:  Remote Desktop",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","SECRET - LAUNCH",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10349,,,,Secret,"RDP Proxy",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,4,max,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,RDP,Folder,Max,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T11:11:09.17Z","Sep 02 2020 11:11:07","Thycotic Software","Secret Server",10004,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [View] By User: max Item Name: RDPproxyTEST (Item Id: 10348) Container Name: RDP (Container Id: 32) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","SECRET - VIEW",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10348,,,,Secret,RDPproxyTEST,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,4,max,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,RDP,Folder,Max,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T11:11:19.155Z","Sep 02 2020 11:11:11","Thycotic Software","Secret Server",10004,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [View] By User: max Item Name: RDP Proxy (Item Id: 10349) Container Name: RDP (Container Id: 32) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","SECRET - VIEW",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10349,,,,Secret,"RDP Proxy",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,4,max,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,RDP,Folder,Max,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T11:11:19.201Z","Sep 02 2020 11:11:13","Thycotic Software","Secret Server",10006,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Launch] By User: max Item Name: RDP Proxy (Item Id: 10349) Container Name: RDP (Container Id: 32) Details:  Remote Desktop",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","SECRET - LAUNCH",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10349,,,,Secret,"RDP Proxy",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,4,max,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,RDP,Folder,Max,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T11:11:49.189Z","Sep 02 2020 11:11:45","Thycotic Software","Secret Server",10006,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Launch] By User: max Item Name: RDP Proxy (Item Id: 10349) Container Name: RDP (Container Id: 32) Details:  Remote Desktop",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","SECRET - LAUNCH",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10349,,,,Secret,"RDP Proxy",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,4,max,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,RDP,Folder,Max,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T11:13:19.151Z","Sep 02 2020 11:13:14","Thycotic Software","Secret Server",10006,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Launch] By User: max Item Name: RDP Proxy (Item Id: 10349) Container Name: RDP (Container Id: 32) Details:  Remote Desktop",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","SECRET - LAUNCH",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10349,,,,Secret,"RDP Proxy",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,4,max,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,RDP,Folder,Max,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T11:15:09.154Z","Sep 02 2020 11:15:00","Thycotic Software","Secret Server",10006,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Launch] By User: max Item Name: RDP Proxy (Item Id: 10349) Container Name: RDP (Container Id: 32) Details:  Remote Desktop",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","SECRET - LAUNCH",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10349,,,,Secret,"RDP Proxy",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,4,max,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,RDP,Folder,Max,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T11:15:19.206Z","Sep 02 2020 11:15:13","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: Ibrahim1 Item Name: Ibrahim1 (Item Id: 22) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,22,Ibrahim1,,null,null,,,22,,,,User,Ibrahim1,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,22,Ibrahim1,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,AIbrahim,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T11:15:59.237Z","Sep 02 2020 11:15:49","Thycotic Software","Secret Server",10145,2,,,,,,,null,,,,"[[SecretServer]] Event: [Domain] Action: [Synchronize] By User: ThycoticSystem Details:  Active Directory Sync Initiated",,null,,,,,null,,,,,null,null,,"10.9.000000","DOMAIN - SYNCHRONIZE",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,,,,,,,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,1,ThycoticSystem,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,ThycoticSystem,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T11:15:59.251Z","Sep 02 2020 11:15:52","Thycotic Software","Secret Server",10019,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Session Recording View] By User: ThycoticSystem Item Name: RDP Proxy (Item Id: 10349) Container Name: RDP (Container Id: 32) Details:  Session Recording (0:00) on 09/02/2020 09:13 AM by Max",,null,,,,,null,,,,,null,null,,"10.9.000000","SECRET - SESSION RECORDING VIEW",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10349,,,,Secret,"RDP Proxy",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,1,ThycoticSystem,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,RDP,Folder,ThycoticSystem,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T11:17:09.175Z","Sep 02 2020 11:17:08","Thycotic Software","Secret Server",10006,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Launch] By User: max Item Name: RDP Proxy (Item Id: 10349) Container Name: RDP (Container Id: 32) Details:  Remote Desktop",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","SECRET - LAUNCH",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10349,,,,Secret,"RDP Proxy",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,4,max,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,RDP,Folder,Max,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T11:17:39.146Z","Sep 02 2020 11:17:33","Thycotic Software","Secret Server",10004,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [View] By User: max Item Name: RDP Proxy (Item Id: 10349) Container Name: RDP (Container Id: 32) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","SECRET - VIEW",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10349,,,,Secret,"RDP Proxy",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,4,max,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,RDP,Folder,Max,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T11:17:39.181Z","Sep 02 2020 11:17:36","Thycotic Software","Secret Server",10006,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Launch] By User: max Item Name: RDP Proxy (Item Id: 10349) Container Name: RDP (Container Id: 32) Details:  Remote Desktop",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","SECRET - LAUNCH",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10349,,,,Secret,"RDP Proxy",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,4,max,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,RDP,Folder,Max,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T11:18:29.171Z","Sep 02 2020 11:18:26","Thycotic Software","Secret Server",10006,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Launch] By User: max Item Name: RDP Proxy (Item Id: 10349) Container Name: RDP (Container Id: 32) Details:  Remote Desktop",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","SECRET - LAUNCH",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10349,,,,Secret,"RDP Proxy",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,4,max,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,RDP,Folder,Max,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T11:18:39.202Z","Sep 02 2020 11:18:38","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: Ibrahim1 Item Name: Ibrahim1 (Item Id: 22) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,22,Ibrahim1,,null,null,,,22,,,,User,Ibrahim1,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,22,Ibrahim1,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,AIbrahim,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T11:25:19.233Z","Sep 02 2020 11:25:17","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: Ibrahim1 Item Name: Ibrahim1 (Item Id: 22) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,22,Ibrahim1,,null,null,,,22,,,,User,Ibrahim1,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,22,Ibrahim1,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,AIbrahim,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T11:26:09.239Z","Sep 02 2020 11:26:05","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: dima1 Item Name: dima1 (Item Id: 17) ",,null,"188.163.82.22",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,17,dima1,,null,null,,,17,,,,User,dima1,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,17,dima1,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,"Murzak Dmitriy","suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T11:28:49.209Z","Sep 02 2020 11:28:42","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: Ibrahim1 Item Name: Ibrahim1 (Item Id: 22) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,22,Ibrahim1,,null,null,,,22,,,,User,Ibrahim1,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,22,Ibrahim1,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,AIbrahim,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T11:35:29.241Z","Sep 02 2020 11:35:20","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: Ibrahim1 Item Name: Ibrahim1 (Item Id: 22) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,22,Ibrahim1,,null,null,,,22,,,,User,Ibrahim1,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,22,Ibrahim1,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,AIbrahim,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T09:27:59.227Z","Sep 02 2020 09:27:49","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: oleg1 Item Name: oleg1 (Item Id: 11) ",,null,"93.74.172.249",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,11,oleg1,,null,null,,,11,,,,User,oleg1,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,11,oleg1,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,ZOleg,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T09:27:59.244Z","Sep 02 2020 09:27:55","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: Ibrahim1 Item Name: Ibrahim1 (Item Id: 22) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,22,Ibrahim1,,null,null,,,22,,,,User,Ibrahim1,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,22,Ibrahim1,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,AIbrahim,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T09:28:09.234Z","Sep 02 2020 09:28:06","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: dima1 Item Name: dima1 (Item Id: 17) ",,null,"188.163.82.22",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,17,dima1,,null,null,,,17,,,,User,dima1,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,17,dima1,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,"Murzak Dmitriy","suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T09:31:19.214Z","Sep 02 2020 09:31:11","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: max Item Name: max (Item Id: 4) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,4,max,,null,null,,,4,,,,User,max,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,4,max,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,Max,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T09:34:29.296Z","Sep 02 2020 09:34:25","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: max Item Name: max (Item Id: 4) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,4,max,,null,null,,,4,,,,User,max,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,4,max,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,Max,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T09:34:49.158Z","Sep 02 2020 09:34:43","Thycotic Software","Secret Server",10004,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [View] By User: max Item Name: W1\W1 (Item Id: 10390) Container Name: Max (Container Id: 25) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","SECRET - VIEW",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10390,,,,Secret,"W1\W1",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,4,max,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,Max,Folder,Max,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T09:34:49.195Z","Sep 02 2020 09:34:43","Thycotic Software","Secret Server",10039,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Password Displayed] By User: max Item Name: W1\W1 (Item Id: 10390) Container Name: Max (Container Id: 25) Details:  Fields: (Password)",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","SECRET - PASSWORD_DISPLAYED",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10390,,,,Secret,"W1\W1",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,4,max,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,Max,Folder,Max,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T09:36:19.248Z","Sep 02 2020 09:36:13","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: max Item Name: max (Item Id: 4) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,4,max,,null,null,,,4,,,,User,max,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,4,max,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,Max,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T10:48:29.234Z","Sep 02 2020 10:48:22","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: oleg1 Item Name: oleg1 (Item Id: 11) ",,null,"93.74.172.249",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,11,oleg1,,null,null,,,11,,,,User,oleg1,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,11,oleg1,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,ZOleg,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T10:48:29.251Z","Sep 02 2020 10:48:26","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: Ibrahim1 Item Name: Ibrahim1 (Item Id: 22) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,22,Ibrahim1,,null,null,,,22,,,,User,Ibrahim1,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,22,Ibrahim1,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,AIbrahim,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T10:55:09.222Z","Sep 02 2020 10:55:04","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: Ibrahim1 Item Name: Ibrahim1 (Item Id: 22) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,22,Ibrahim1,,null,null,,,22,,,,User,Ibrahim1,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,22,Ibrahim1,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,AIbrahim,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T10:58:39.228Z","Sep 02 2020 10:58:29","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: Ibrahim1 Item Name: Ibrahim1 (Item Id: 22) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,22,Ibrahim1,,null,null,,,22,,,,User,Ibrahim1,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,22,Ibrahim1,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,AIbrahim,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T10:58:39.247Z","Sep 02 2020 10:58:37","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: oleg1 Item Name: oleg1 (Item Id: 11) ",,null,"93.74.172.249",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,11,oleg1,,null,null,,,11,,,,User,oleg1,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,11,oleg1,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,ZOleg,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T11:04:39.208Z","Sep 02 2020 11:04:35","Thycotic Software","Secret Server",10004,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [View] By User: max Item Name: RDP + SSH PROXY (Item Id: 11022) Container Name: RDP (Container Id: 32) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","SECRET - VIEW",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,11022,,,,Secret,"RDP + SSH PROXY",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,4,max,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,RDP,Folder,Max,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T11:04:39.261Z","Sep 02 2020 11:04:38","Thycotic Software","Secret Server",10004,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [View] By User: max Item Name: RDP Proxy (Item Id: 10349) Container Name: RDP (Container Id: 32) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","SECRET - VIEW",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10349,,,,Secret,"RDP Proxy",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,4,max,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,RDP,Folder,Max,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T11:04:49.175Z","Sep 02 2020 11:04:41","Thycotic Software","Secret Server",10006,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Launch] By User: max Item Name: RDP Proxy (Item Id: 10349) Container Name: RDP (Container Id: 32) Details:  Remote Desktop",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","SECRET - LAUNCH",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10349,,,,Secret,"RDP Proxy",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,4,max,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,RDP,Folder,Max,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T11:05:09.783Z","Sep 02 2020 11:05:08","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: Ibrahim1 Item Name: Ibrahim1 (Item Id: 22) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,22,Ibrahim1,,null,null,,,22,,,,User,Ibrahim1,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,22,Ibrahim1,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,AIbrahim,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T11:05:49.224Z","Sep 02 2020 11:05:40","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: dima1 Item Name: dima1 (Item Id: 17) ",,null,"188.163.82.22",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,17,dima1,,null,null,,,17,,,,User,dima1,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,17,dima1,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,"Murzak Dmitriy","suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T11:05:49.244Z","Sep 02 2020 11:05:40","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: dima1 Item Name: dima1 (Item Id: 17) ",,null,"188.163.82.22",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,17,dima1,,null,null,,,17,,,,User,dima1,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,17,dima1,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,"Murzak Dmitriy","suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T13:05:59.435Z","Sep 02 2020 13:05:52","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: max Item Name: max (Item Id: 4) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,4,max,,null,null,,,4,,,,User,max,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,4,max,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,Max,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T13:09:29.211Z","Sep 02 2020 13:09:23","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: Ibrahim1 Item Name: Ibrahim1 (Item Id: 22) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,22,Ibrahim1,,null,null,,,22,,,,User,Ibrahim1,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,22,Ibrahim1,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,AIbrahim,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T13:12:01.685Z","Sep 02 2020 13:11:52","Thycotic Software","Secret Server",17,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Logout] By User: testing Item Name: testing (Item Id: 18) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","USER - LOGOUT",,null,,,,null,,,,,,,,,,,,null,,,,18,testing,,null,null,,,18,,,,User,testing,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,18,testing,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,AccForTests,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T13:12:01.721Z","Sep 02 2020 13:12:00","Thycotic Software","Secret Server",10004,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [View] By User: max Item Name: From ""Unix Account (SSH)"" no Private Key (Item Id: 115) Container Name: SSH Secrets (Container Id: 31) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","SECRET - VIEW",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,115,,,,Secret,"From ""Unix Account (SSH)"" no Private Key",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,4,max,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,"SSH Secrets",Folder,Max,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T13:12:09.393Z","Sep 02 2020 13:12:02","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: max Item Name: max (Item Id: 4) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,4,max,,null,null,,,4,,,,User,max,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,4,max,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,Max,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T13:12:09.411Z","Sep 02 2020 13:12:02","Thycotic Software","Secret Server",10006,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Launch] By User: max Item Name: From ""Unix Account (SSH)"" no Private Key (Item Id: 115) Container Name: SSH Secrets (Container Id: 31) Details:  PuTTY",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","SECRET - LAUNCH",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,115,,,,Secret,"From ""Unix Account (SSH)"" no Private Key",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,4,max,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,"SSH Secrets",Folder,Max,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T13:12:29.384Z","Sep 02 2020 13:12:26","Thycotic Software","Secret Server",10004,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [View] By User: max Item Name: no proxy (Item Id: 10369) Container Name: SSH Secrets (Container Id: 31) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","SECRET - VIEW",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10369,,,,Secret,"no proxy",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,4,max,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,"SSH Secrets",Folder,Max,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T13:12:29.419Z","Sep 02 2020 13:12:29","Thycotic Software","Secret Server",10004,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [View] By User: max Item Name: key proxy+ ssh (Item Id: 10411) Container Name: SSH Secrets (Container Id: 31) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","SECRET - VIEW",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10411,,,,Secret,"key proxy+ ssh",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,4,max,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,"SSH Secrets",Folder,Max,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T13:12:39.155Z","Sep 02 2020 13:12:32","Thycotic Software","Secret Server",10006,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Launch] By User: max Item Name: key proxy+ ssh (Item Id: 10411) Container Name: SSH Secrets (Container Id: 31) Details:  PuTTY",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","SECRET - LAUNCH",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10411,,,,Secret,"key proxy+ ssh",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,4,max,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,"SSH Secrets",Folder,Max,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T13:19:29.242Z","Sep 02 2020 13:19:26","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: Ibrahim1 Item Name: Ibrahim1 (Item Id: 22) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,22,Ibrahim1,,null,null,,,22,,,,User,Ibrahim1,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,22,Ibrahim1,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,AIbrahim,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T10:24:59.228Z","Sep 02 2020 10:24:53","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: Ibrahim1 Item Name: Ibrahim1 (Item Id: 22) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,22,Ibrahim1,,null,null,,,22,,,,User,Ibrahim1,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,22,Ibrahim1,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,AIbrahim,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T10:27:29.243Z","Sep 02 2020 10:27:24","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: max Item Name: max (Item Id: 4) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,4,max,,null,null,,,4,,,,User,max,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,4,max,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,Max,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T10:27:49.152Z","Sep 02 2020 10:27:41","Thycotic Software","Secret Server",10004,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [View] By User: max Item Name: W1\W1 (Item Id: 10390) Container Name: Max (Container Id: 25) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","SECRET - VIEW",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10390,,,,Secret,"W1\W1",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,4,max,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,Max,Folder,Max,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T10:27:49.312Z","Sep 02 2020 10:27:41","Thycotic Software","Secret Server",10039,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Password Displayed] By User: max Item Name: W1\W1 (Item Id: 10390) Container Name: Max (Container Id: 25) Details:  Fields: (Password)",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","SECRET - PASSWORD_DISPLAYED",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10390,,,,Secret,"W1\W1",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,4,max,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,Max,Folder,Max,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T10:28:29.295Z","Sep 02 2020 10:28:19","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: Ibrahim1 Item Name: Ibrahim1 (Item Id: 22) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,22,Ibrahim1,,null,null,,,22,,,,User,Ibrahim1,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,22,Ibrahim1,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,AIbrahim,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T10:31:29.195Z","Sep 02 2020 10:31:21","Thycotic Software","Secret Server",10004,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [View] By User: max Item Name: 10.10.200.2xbxjxbnsjs (Item Id: 10326) Container Name: SSH Secrets (Container Id: 31) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","SECRET - VIEW",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10326,,,,Secret,"10.10.200.2xbxjxbnsjs",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,4,max,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,"SSH Secrets",Folder,Max,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T10:31:29.293Z","Sep 02 2020 10:31:25","Thycotic Software","Secret Server",10004,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [View] By User: max Item Name: 2 (Item Id: 10342) Container Name: Max (Container Id: 25) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","SECRET - VIEW",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10342,,,,Secret,2,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,4,max,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,Max,Folder,Max,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T10:31:39.252Z","Sep 02 2020 10:31:32","Thycotic Software","Secret Server",10039,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Password Displayed] By User: max Item Name: 2 (Item Id: 10342) Container Name: Max (Container Id: 25) Details:  Fields: (Password)",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","SECRET - PASSWORD_DISPLAYED",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10342,,,,Secret,2,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,4,max,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,Max,Folder,Max,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T10:32:09.253Z","Sep 02 2020 10:32:00","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: AppAccount Item Name: AppAccount (Item Id: 10) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,10,AppAccount,,null,null,,,10,,,,User,AppAccount,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,10,AppAccount,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,AppAccount,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T10:32:09.328Z","Sep 02 2020 10:32:01","Thycotic Software","Secret Server",10004,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [View] By User: AppAccount Item Name: 2 (Item Id: 10342) Container Name: Max (Container Id: 25) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","SECRET - VIEW",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10342,,,,Secret,2,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,10,AppAccount,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,Max,Folder,AppAccount,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T10:32:09.415Z","Sep 02 2020 10:32:01","Thycotic Software","Secret Server",10039,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Password Displayed] By User: AppAccount Item Name: 2 (Item Id: 10342) Container Name: Max (Container Id: 25) Details:  Fields: (Password)",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","SECRET - PASSWORD_DISPLAYED",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10342,,,,Secret,2,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,10,AppAccount,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,Max,Folder,AppAccount,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T10:32:29.205Z","Sep 02 2020 10:32:28","Thycotic Software","Secret Server",10041,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Viewed Secret Edit] By User: max Item Name: 2 (Item Id: 10342) Container Name: Max (Container Id: 25) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","SECRET - VIEWED_EDIT",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10342,,,,Secret,2,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,4,max,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,Max,Folder,Max,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T10:32:29.239Z","Sep 02 2020 10:32:28","Thycotic Software","Secret Server",10055,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Password Change] By User: max Item Name: 2 (Item Id: 10342) Container Name: Max (Container Id: 25) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","SECRET - SECRETPASSWORDCHANGE",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10342,,,,Secret,2,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,4,max,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,Max,Folder,Max,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T10:32:29.274Z","Sep 02 2020 10:32:28","Thycotic Software","Secret Server",10005,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Edit] By User: max Item Name: 2 (Item Id: 10342) Container Name: Max (Container Id: 25) Details:  Fields: (Password) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","SECRET - EDIT",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10342,,,,Secret,2,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,4,max,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,Max,Folder,Max,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T10:32:39.301Z","Sep 02 2020 10:32:34","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: AppAccount Item Name: AppAccount (Item Id: 10) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,10,AppAccount,,null,null,,,10,,,,User,AppAccount,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,10,AppAccount,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,AppAccount,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T10:32:39.324Z","Sep 02 2020 10:32:34","Thycotic Software","Secret Server",10004,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [View] By User: AppAccount Item Name: 2 (Item Id: 10342) Container Name: Max (Container Id: 25) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","SECRET - VIEW",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10342,,,,Secret,2,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,10,AppAccount,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,Max,Folder,AppAccount,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T10:32:39.383Z","Sep 02 2020 10:32:35","Thycotic Software","Secret Server",10039,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Password Displayed] By User: AppAccount Item Name: 2 (Item Id: 10342) Container Name: Max (Container Id: 25) Details:  Fields: (Password)",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","SECRET - PASSWORD_DISPLAYED",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10342,,,,Secret,2,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,10,AppAccount,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,Max,Folder,AppAccount,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T10:33:09.177Z","Sep 02 2020 10:33:04","Thycotic Software","Secret Server",10055,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Password Change] By User: max Item Name: 2 (Item Id: 10342) Container Name: Max (Container Id: 25) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","SECRET - SECRETPASSWORDCHANGE",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10342,,,,Secret,2,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,4,max,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,Max,Folder,Max,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T10:33:09.196Z","Sep 02 2020 10:33:04","Thycotic Software","Secret Server",10005,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Edit] By User: max Item Name: 2 (Item Id: 10342) Container Name: Max (Container Id: 25) Details:  Fields: (Password) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","SECRET - EDIT",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10342,,,,Secret,2,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,4,max,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,Max,Folder,Max,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T10:33:19.306Z","Sep 02 2020 10:33:09","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: AppAccount Item Name: AppAccount (Item Id: 10) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,10,AppAccount,,null,null,,,10,,,,User,AppAccount,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,10,AppAccount,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,AppAccount,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T10:33:19.326Z","Sep 02 2020 10:33:09","Thycotic Software","Secret Server",10004,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [View] By User: AppAccount Item Name: 2 (Item Id: 10342) Container Name: Max (Container Id: 25) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","SECRET - VIEW",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10342,,,,Secret,2,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,10,AppAccount,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,Max,Folder,AppAccount,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T10:33:19.391Z","Sep 02 2020 10:33:09","Thycotic Software","Secret Server",10039,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Password Displayed] By User: AppAccount Item Name: 2 (Item Id: 10342) Container Name: Max (Container Id: 25) Details:  Fields: (Password)",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","SECRET - PASSWORD_DISPLAYED",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10342,,,,Secret,2,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,10,AppAccount,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,Max,Folder,AppAccount,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T10:34:29.16Z","Sep 02 2020 10:34:19","Thycotic Software","Secret Server",10004,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [View] By User: max Item Name: W1\W1 (Item Id: 10390) Container Name: Max (Container Id: 25) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","SECRET - VIEW",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10390,,,,Secret,"W1\W1",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,4,max,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,Max,Folder,Max,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T10:34:29.213Z","Sep 02 2020 10:34:19","Thycotic Software","Secret Server",10039,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Password Displayed] By User: max Item Name: W1\W1 (Item Id: 10390) Container Name: Max (Container Id: 25) Details:  Fields: (Password)",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","SECRET - PASSWORD_DISPLAYED",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,10390,,,,Secret,"W1\W1",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,4,max,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,Max,Folder,Max,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T10:34:59.208Z","Sep 02 2020 10:34:57","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: Ibrahim1 Item Name: Ibrahim1 (Item Id: 22) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,22,Ibrahim1,,null,null,,,22,,,,User,Ibrahim1,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,22,Ibrahim1,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,AIbrahim,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T13:21:49.326Z","Sep 02 2020 13:21:47","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: Ibrahim1 Item Name: Ibrahim1 (Item Id: 22) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,22,Ibrahim1,,null,null,,,22,,,,User,Ibrahim1,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,22,Ibrahim1,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,AIbrahim,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T13:22:00.866Z","Sep 02 2020 13:21:55","Thycotic Software","Secret Server",10004,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [View] By User: Ibrahim1 Item Name:     ktukuytk (Item Id: 11100) Container Name: Folder3s23xyjyh (Container Id: 265) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","SECRET - VIEW",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,11100,,,,Secret,"    ktukuytk",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,22,Ibrahim1,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,Folder3s23xyjyh,Folder,AIbrahim,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T13:22:01.143Z","Sep 02 2020 13:21:55","Thycotic Software","Secret Server",10039,2,,,,,,,null,,,,"[[SecretServer]] Event: [Secret] Action: [Password Displayed] By User: Ibrahim1 Item Name:     ktukuytk (Item Id: 11100) Container Name: Folder3s23xyjyh (Container Id: 265) Details:  Fields: (Password)",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","SECRET - PASSWORD_DISPLAYED",,null,,,,null,,,,,,,,,,,,null,,,,,,,null,null,,,11100,,,,Secret,"    ktukuytk",null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,22,Ibrahim1,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,Folder3s23xyjyh,Folder,AIbrahim,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T09:37:59.809Z","Sep 02 2020 09:37:53","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: oleg1 Item Name: oleg1 (Item Id: 11) ",,null,"93.74.172.249",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,11,oleg1,,null,null,,,11,,,,User,oleg1,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,11,oleg1,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,ZOleg,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T09:38:09.198Z","Sep 02 2020 09:38:00","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: Ibrahim1 Item Name: Ibrahim1 (Item Id: 22) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,22,Ibrahim1,,null,null,,,22,,,,User,Ibrahim1,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,22,Ibrahim1,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,AIbrahim,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T09:41:58.923Z","Sep 02 2020 09:41:42","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: max Item Name: max (Item Id: 4) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,4,max,,null,null,,,4,,,,User,max,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,4,max,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,Max,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T09:44:09.388Z","Sep 02 2020 09:44:09","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: max Item Name: max (Item Id: 4) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,4,max,,null,null,,,4,,,,User,max,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,4,max,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,Max,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T09:47:59.224Z","Sep 02 2020 09:47:57","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: oleg1 Item Name: oleg1 (Item Id: 11) ",,null,"93.74.172.249",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,11,oleg1,,null,null,,,11,,,,User,oleg1,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,11,oleg1,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,ZOleg,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T09:48:09.21Z","Sep 02 2020 09:48:03","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: Ibrahim1 Item Name: Ibrahim1 (Item Id: 22) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,22,Ibrahim1,,null,null,,,22,,,,User,Ibrahim1,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,22,Ibrahim1,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,AIbrahim,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T09:49:49.435Z","Sep 02 2020 09:49:42","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: max Item Name: max (Item Id: 4) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,4,max,,null,null,,,4,,,,User,max,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,4,max,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,Max,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+"0f9902f5-f3f6-4c2c-b395-b658e0bd207c",OpsManager,"2020-09-02T09:50:39.351Z","Sep 02 2020 09:50:38","Thycotic Software","Secret Server",16,2,,,,,,,null,,,,"[[SecretServer]] Event: [User] Action: [Login] By User: max Item Name: max (Item Id: 4) ",,null,"217.147.161.79",,,,null,,,,,null,null,,"10.9.000000","USER - LOGIN",,null,,,,null,,,,,,,,,,,,null,,,,4,max,,null,null,,,4,,,,User,max,null,null,,,,,,,,null,,null,,,,,,,,,,,,null,null,,,4,max,null,,,,,,,,,null,,null,,null,,null,,null,,null,,null,,,,,,,,Max,"suser Display Name",,,,,,,,,,,null,,null,,,,,,,null,null,CommonSecurityLog,"/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
diff --git a/Sample Data/CEF/ThycoticSourceData.json b/Sample Data/CEF/ThycoticSourceData.json
new file mode 100644
index 0000000000..f7a876e010
--- /dev/null
+++ b/Sample Data/CEF/ThycoticSourceData.json	
@@ -0,0 +1,36962 @@
+[
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:59:29.239Z",
+    "ReceiptTime": "Sep 02 2020 12:59:19",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: Ibrahim1 Item Name: Ibrahim1 (Item Id: 22)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 22,
+    "DestinationUserName": "Ibrahim1",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 22,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "Ibrahim1",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 22,
+    "SourceUserName": "Ibrahim1",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "AIbrahim",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T13:00:39.159Z",
+    "ReceiptTime": "Sep 02 2020 13:00:37",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10004,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [View] By User: Ibrahim1 Item Name:     ktukuytk (Item Id: 11100) Container Name: Folder3s23xyjyh (Container Id: 265)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - VIEW",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 11100,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "ktukuytk",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 22,
+    "SourceUserName": "Ibrahim1",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "Folder3s23xyjyh",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "AIbrahim",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T13:00:39.196Z",
+    "ReceiptTime": "Sep 02 2020 13:00:37",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10039,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Password Displayed] By User: Ibrahim1 Item Name:     ktukuytk (Item Id: 11100) Container Name: Folder3s23xyjyh (Container Id: 265) Details:  Fields: (Password)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - PASSWORD_DISPLAYED",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 11100,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "ktukuytk",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 22,
+    "SourceUserName": "Ibrahim1",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "Folder3s23xyjyh",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "AIbrahim",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:15:09.152Z",
+    "ReceiptTime": "Sep 02 2020 12:14:59",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10004,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [View] By User: Ibrahim1 Item Name:     ktukuytk (Item Id: 11100) Container Name: Folder3s23xyjyh (Container Id: 265)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - VIEW",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 11100,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "ktukuytk",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 22,
+    "SourceUserName": "Ibrahim1",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "Folder3s23xyjyh",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "AIbrahim",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:15:09.186Z",
+    "ReceiptTime": "Sep 02 2020 12:14:59",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10039,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Password Displayed] By User: Ibrahim1 Item Name:     ktukuytk (Item Id: 11100) Container Name: Folder3s23xyjyh (Container Id: 265) Details:  Fields: (Password)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - PASSWORD_DISPLAYED",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 11100,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "ktukuytk",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 22,
+    "SourceUserName": "Ibrahim1",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "Folder3s23xyjyh",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "AIbrahim",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:19:09.222Z",
+    "ReceiptTime": "Sep 02 2020 12:19:00",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: Ibrahim1 Item Name: Ibrahim1 (Item Id: 22)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 22,
+    "DestinationUserName": "Ibrahim1",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 22,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "Ibrahim1",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 22,
+    "SourceUserName": "Ibrahim1",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "AIbrahim",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:20:59.244Z",
+    "ReceiptTime": "Sep 02 2020 12:20:49",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10145,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Domain] Action: [Synchronize] By User: ThycoticSystem Details:  Active Directory Sync Initiated",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "DOMAIN - SYNCHRONIZE",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": "",
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "",
+    "FileName": "",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 1,
+    "SourceUserName": "ThycoticSystem",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "ThycoticSystem",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:28:39.22Z",
+    "ReceiptTime": "Sep 02 2020 12:28:30",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: Ibrahim1 Item Name: Ibrahim1 (Item Id: 22)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 22,
+    "DestinationUserName": "Ibrahim1",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 22,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "Ibrahim1",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 22,
+    "SourceUserName": "Ibrahim1",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "AIbrahim",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:28:49.138Z",
+    "ReceiptTime": "Sep 02 2020 12:28:39",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10004,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [View] By User: Ibrahim1 Item Name:     ktukuytk (Item Id: 11100) Container Name: Folder3s23xyjyh (Container Id: 265)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - VIEW",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 11100,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "ktukuytk",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 22,
+    "SourceUserName": "Ibrahim1",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "Folder3s23xyjyh",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "AIbrahim",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:28:49.171Z",
+    "ReceiptTime": "Sep 02 2020 12:28:39",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10039,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Password Displayed] By User: Ibrahim1 Item Name:     ktukuytk (Item Id: 11100) Container Name: Folder3s23xyjyh (Container Id: 265) Details:  Fields: (Password)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - PASSWORD_DISPLAYED",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 11100,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "ktukuytk",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 22,
+    "SourceUserName": "Ibrahim1",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "Folder3s23xyjyh",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "AIbrahim",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:29:09.304Z",
+    "ReceiptTime": "Sep 02 2020 12:29:04",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: Ibrahim1 Item Name: Ibrahim1 (Item Id: 22)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 22,
+    "DestinationUserName": "Ibrahim1",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 22,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "Ibrahim1",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 22,
+    "SourceUserName": "Ibrahim1",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "AIbrahim",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:33:49.244Z",
+    "ReceiptTime": "Sep 02 2020 12:33:39",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: max Item Name: max (Item Id: 4)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 4,
+    "DestinationUserName": "max",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 4,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "max",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 4,
+    "SourceUserName": "max",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "Max",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:33:49.262Z",
+    "ReceiptTime": "Sep 02 2020 12:33:41",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: max Item Name: max (Item Id: 4)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 4,
+    "DestinationUserName": "max",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 4,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "max",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 4,
+    "SourceUserName": "max",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "Max",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:34:19.157Z",
+    "ReceiptTime": "Sep 02 2020 12:34:10",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10004,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [View] By User: max Item Name: RDP + SSH PROXY (Item Id: 11022) Container Name: RDP (Container Id: 32)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - VIEW",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 11022,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "RDP + SSH PROXY",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 4,
+    "SourceUserName": "max",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "RDP",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "Max",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:34:19.194Z",
+    "ReceiptTime": "Sep 02 2020 12:34:15",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10004,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [View] By User: max Item Name: RDP Proxy (Item Id: 10349) Container Name: RDP (Container Id: 32)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - VIEW",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10349,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "RDP Proxy",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 4,
+    "SourceUserName": "max",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "RDP",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "Max",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:34:19.242Z",
+    "ReceiptTime": "Sep 02 2020 12:34:18",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10006,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Launch] By User: max Item Name: RDP Proxy (Item Id: 10349) Container Name: RDP (Container Id: 32) Details:  Remote Desktop",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - LAUNCH",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10349,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "RDP Proxy",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 4,
+    "SourceUserName": "max",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "RDP",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "Max",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:34:49.171Z",
+    "ReceiptTime": "Sep 02 2020 12:34:47",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10004,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [View] By User: max Item Name: RDP (no custom window size) (Item Id: 10473) Container Name: RDP (Container Id: 32)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - VIEW",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10473,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "RDP (no custom window size)",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 4,
+    "SourceUserName": "max",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "RDP",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "Max",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:34:59.151Z",
+    "ReceiptTime": "Sep 02 2020 12:34:51",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10006,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Launch] By User: max Item Name: RDP (no custom window size) (Item Id: 10473) Container Name: RDP (Container Id: 32) Details:  Remote Desktop",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - LAUNCH",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10473,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "RDP (no custom window size)",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 4,
+    "SourceUserName": "max",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "RDP",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "Max",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:35:09.153Z",
+    "ReceiptTime": "Sep 02 2020 12:35:04",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10004,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [View] By User: Ibrahim1 Item Name:     ktukuytk (Item Id: 11100) Container Name: Folder3s23xyjyh (Container Id: 265)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - VIEW",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 11100,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "ktukuytk",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 22,
+    "SourceUserName": "Ibrahim1",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "Folder3s23xyjyh",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "AIbrahim",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:35:09.277Z",
+    "ReceiptTime": "Sep 02 2020 12:35:04",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10039,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Password Displayed] By User: Ibrahim1 Item Name:     ktukuytk (Item Id: 11100) Container Name: Folder3s23xyjyh (Container Id: 265) Details:  Fields: (Password)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - PASSWORD_DISPLAYED",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 11100,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "ktukuytk",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 22,
+    "SourceUserName": "Ibrahim1",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "Folder3s23xyjyh",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "AIbrahim",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:37:39.231Z",
+    "ReceiptTime": "Sep 02 2020 12:37:32",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: max Item Name: max (Item Id: 4)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 4,
+    "DestinationUserName": "max",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 4,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "max",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 4,
+    "SourceUserName": "max",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "Max",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:03:59.236Z",
+    "ReceiptTime": "Sep 02 2020 12:03:50",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: max Item Name: max (Item Id: 4)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 4,
+    "DestinationUserName": "max",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 4,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "max",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 4,
+    "SourceUserName": "max",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "Max",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:03:59.273Z",
+    "ReceiptTime": "Sep 02 2020 12:03:51",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: max Item Name: max (Item Id: 4)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 4,
+    "DestinationUserName": "max",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 4,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "max",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 4,
+    "SourceUserName": "max",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "Max",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:03:59.313Z",
+    "ReceiptTime": "Sep 02 2020 12:03:58",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: max Item Name: max (Item Id: 4)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 4,
+    "DestinationUserName": "max",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 4,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "max",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 4,
+    "SourceUserName": "max",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "Max",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:04:19.243Z",
+    "ReceiptTime": "Sep 02 2020 12:04:17",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: max Item Name: max (Item Id: 4)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 4,
+    "DestinationUserName": "max",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 4,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "max",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 4,
+    "SourceUserName": "max",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "Max",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:04:19.26Z",
+    "ReceiptTime": "Sep 02 2020 12:04:18",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: max Item Name: max (Item Id: 4)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 4,
+    "DestinationUserName": "max",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 4,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "max",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 4,
+    "SourceUserName": "max",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "Max",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:04:29.22Z",
+    "ReceiptTime": "Sep 02 2020 12:04:22",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: max Item Name: max (Item Id: 4)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 4,
+    "DestinationUserName": "max",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 4,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "max",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 4,
+    "SourceUserName": "max",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "Max",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:04:39.252Z",
+    "ReceiptTime": "Sep 02 2020 12:04:33",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: max Item Name: max (Item Id: 4)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 4,
+    "DestinationUserName": "max",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 4,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "max",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 4,
+    "SourceUserName": "max",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "Max",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:04:39.273Z",
+    "ReceiptTime": "Sep 02 2020 12:04:34",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: max Item Name: max (Item Id: 4)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 4,
+    "DestinationUserName": "max",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 4,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "max",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 4,
+    "SourceUserName": "max",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "Max",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:04:39.296Z",
+    "ReceiptTime": "Sep 02 2020 12:04:38",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: max Item Name: max (Item Id: 4)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 4,
+    "DestinationUserName": "max",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 4,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "max",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 4,
+    "SourceUserName": "max",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "Max",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:05:39.211Z",
+    "ReceiptTime": "Sep 02 2020 12:05:33",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: Ibrahim1 Item Name: Ibrahim1 (Item Id: 22)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 22,
+    "DestinationUserName": "Ibrahim1",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 22,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "Ibrahim1",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 22,
+    "SourceUserName": "Ibrahim1",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "AIbrahim",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:06:29.249Z",
+    "ReceiptTime": "Sep 02 2020 12:06:20",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: max Item Name: max (Item Id: 4)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 4,
+    "DestinationUserName": "max",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 4,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "max",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 4,
+    "SourceUserName": "max",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "Max",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:07:09.223Z",
+    "ReceiptTime": "Sep 02 2020 12:07:02",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: max Item Name: max (Item Id: 4)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 4,
+    "DestinationUserName": "max",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 4,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "max",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 4,
+    "SourceUserName": "max",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "Max",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:08:59.217Z",
+    "ReceiptTime": "Sep 02 2020 12:08:56",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: Ibrahim1 Item Name: Ibrahim1 (Item Id: 22)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 22,
+    "DestinationUserName": "Ibrahim1",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 22,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "Ibrahim1",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 22,
+    "SourceUserName": "Ibrahim1",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "AIbrahim",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T11:38:49.619Z",
+    "ReceiptTime": "Sep 02 2020 11:38:46",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: Ibrahim1 Item Name: Ibrahim1 (Item Id: 22)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 22,
+    "DestinationUserName": "Ibrahim1",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 22,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "Ibrahim1",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 22,
+    "SourceUserName": "Ibrahim1",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "AIbrahim",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T11:39:09.221Z",
+    "ReceiptTime": "Sep 02 2020 11:39:04",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: dima1 Item Name: dima1 (Item Id: 17)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "188.163.82.22",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 17,
+    "DestinationUserName": "dima1",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 17,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "dima1",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 17,
+    "SourceUserName": "dima1",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "Murzak Dmitriy",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T11:39:09.237Z",
+    "ReceiptTime": "Sep 02 2020 11:39:04",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: dima1 Item Name: dima1 (Item Id: 17)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "188.163.82.22",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 17,
+    "DestinationUserName": "dima1",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 17,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "dima1",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 17,
+    "SourceUserName": "dima1",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "Murzak Dmitriy",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T11:44:49.265Z",
+    "ReceiptTime": "Sep 02 2020 11:44:48",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: max Item Name: max (Item Id: 4)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 4,
+    "DestinationUserName": "max",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 4,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "max",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 4,
+    "SourceUserName": "max",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "Max",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T11:45:29.254Z",
+    "ReceiptTime": "Sep 02 2020 11:45:25",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: Ibrahim1 Item Name: Ibrahim1 (Item Id: 22)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 22,
+    "DestinationUserName": "Ibrahim1",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 22,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "Ibrahim1",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 22,
+    "SourceUserName": "Ibrahim1",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "AIbrahim",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T11:45:59.146Z",
+    "ReceiptTime": "Sep 02 2020 11:45:50",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10019,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Session Recording View] By User: ThycoticSystem Item Name: RDP Proxy (Item Id: 10349) Container Name: RDP (Container Id: 32) Details:  Session Recording (0:00) on 09/02/2020 11:15 AM by Max",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - SESSION RECORDING VIEW",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10349,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "RDP Proxy",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 1,
+    "SourceUserName": "ThycoticSystem",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "RDP",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "ThycoticSystem",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T11:48:59.214Z",
+    "ReceiptTime": "Sep 02 2020 11:48:49",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: Ibrahim1 Item Name: Ibrahim1 (Item Id: 22)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 22,
+    "DestinationUserName": "Ibrahim1",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 22,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "Ibrahim1",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 22,
+    "SourceUserName": "Ibrahim1",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "AIbrahim",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T11:55:39.211Z",
+    "ReceiptTime": "Sep 02 2020 11:55:29",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: Ibrahim1 Item Name: Ibrahim1 (Item Id: 22)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 22,
+    "DestinationUserName": "Ibrahim1",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 22,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "Ibrahim1",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 22,
+    "SourceUserName": "Ibrahim1",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "AIbrahim",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T11:58:59.29Z",
+    "ReceiptTime": "Sep 02 2020 11:58:53",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: Ibrahim1 Item Name: Ibrahim1 (Item Id: 22)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 22,
+    "DestinationUserName": "Ibrahim1",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 22,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "Ibrahim1",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 22,
+    "SourceUserName": "Ibrahim1",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "AIbrahim",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T11:59:19.244Z",
+    "ReceiptTime": "Sep 02 2020 11:59:16",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: dima1 Item Name: dima1 (Item Id: 17)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "188.163.82.22",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 17,
+    "DestinationUserName": "dima1",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 17,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "dima1",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 17,
+    "SourceUserName": "dima1",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "Murzak Dmitriy",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T11:59:19.261Z",
+    "ReceiptTime": "Sep 02 2020 11:59:16",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: dima1 Item Name: dima1 (Item Id: 17)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "188.163.82.22",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 17,
+    "DestinationUserName": "dima1",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 17,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "dima1",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 17,
+    "SourceUserName": "dima1",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "Murzak Dmitriy",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:00:09.171Z",
+    "ReceiptTime": "Sep 02 2020 12:00:00",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10009,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Expired Today] By User: ThycoticSystem Item Name: 1 permission - edit for testing (Item Id: 10648) Container Name: valid secrets (Container Id: 196)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - EXPIREDTODAY",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10648,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "1 permission - edit for testing",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 1,
+    "SourceUserName": "ThycoticSystem",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "valid secrets",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "ThycoticSystem",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:00:09.196Z",
+    "ReceiptTime": "Sep 02 2020 12:00:00",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10009,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Expired Today] By User: ThycoticSystem Item Name: Cisco Account (SSH) q (Item Id: 10860) Container Name: AccForTests (Container Id: 197)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - EXPIREDTODAY",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10860,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "Cisco Account (SSH) q",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 1,
+    "SourceUserName": "ThycoticSystem",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "AccForTests",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "ThycoticSystem",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:00:09.214Z",
+    "ReceiptTime": "Sep 02 2020 12:00:00",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10009,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Expired Today] By User: ThycoticSystem Item Name: Cisco Enable Secret (Telnet) (Item Id: 10861) Container Name: AccForTests (Container Id: 197)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - EXPIREDTODAY",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10861,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "Cisco Enable Secret (Telnet)",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 1,
+    "SourceUserName": "ThycoticSystem",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "AccForTests",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "ThycoticSystem",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:00:09.241Z",
+    "ReceiptTime": "Sep 02 2020 12:00:00",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10009,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Expired Today] By User: ThycoticSystem Item Name: Generic Discovery Credentials (Item Id: 10868) Container Name: AccForTests (Container Id: 197)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - EXPIREDTODAY",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10868,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "Generic Discovery Credentials",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 1,
+    "SourceUserName": "ThycoticSystem",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "AccForTests",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "ThycoticSystem",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:00:09.518Z",
+    "ReceiptTime": "Sep 02 2020 12:00:00",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10009,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Expired Today] By User: ThycoticSystem Item Name: Generic SQL Server Account q (Item Id: 10869) Container Name: AccForTests (Container Id: 197)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - EXPIREDTODAY",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10869,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "Generic SQL Server Account q",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 1,
+    "SourceUserName": "ThycoticSystem",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "AccForTests",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "ThycoticSystem",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:00:09.542Z",
+    "ReceiptTime": "Sep 02 2020 12:00:00",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10009,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Expired Today] By User: ThycoticSystem Item Name: HP iLO Account (SSH) (Item Id: 10872) Container Name: AccForTests (Container Id: 197)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - EXPIREDTODAY",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10872,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "HP iLO Account (SSH)",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 1,
+    "SourceUserName": "ThycoticSystem",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "AccForTests",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "ThycoticSystem",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:00:09.57Z",
+    "ReceiptTime": "Sep 02 2020 12:00:00",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10009,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Expired Today] By User: ThycoticSystem Item Name: IBM iSeries Mainframe q (Item Id: 10873) Container Name: AccForTests (Container Id: 197)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - EXPIREDTODAY",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10873,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "IBM iSeries Mainframe q",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 1,
+    "SourceUserName": "ThycoticSystem",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "AccForTests",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "ThycoticSystem",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:00:09.598Z",
+    "ReceiptTime": "Sep 02 2020 12:00:00",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10009,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Expired Today] By User: ThycoticSystem Item Name: Ldap (Active Directory) q (Item Id: 10874) Container Name: AccForTests (Container Id: 197)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - EXPIREDTODAY",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10874,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "Ldap (Active Directory) q",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 1,
+    "SourceUserName": "ThycoticSystem",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "AccForTests",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "ThycoticSystem",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:00:09.635Z",
+    "ReceiptTime": "Sep 02 2020 12:00:00",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10009,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Expired Today] By User: ThycoticSystem Item Name: MySql Account q (Item Id: 10875) Container Name: AccForTests (Container Id: 197)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - EXPIREDTODAY",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10875,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "MySql Account q",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 1,
+    "SourceUserName": "ThycoticSystem",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "AccForTests",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "ThycoticSystem",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:00:09.662Z",
+    "ReceiptTime": "Sep 02 2020 12:00:00",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10009,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Expired Today] By User: ThycoticSystem Item Name: Office365 Account q (Item Id: 10876) Container Name: AccForTests (Container Id: 197)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - EXPIREDTODAY",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10876,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "Office365 Account q",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 1,
+    "SourceUserName": "ThycoticSystem",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "AccForTests",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "ThycoticSystem",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:00:09.681Z",
+    "ReceiptTime": "Sep 02 2020 12:00:00",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10009,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Expired Today] By User: ThycoticSystem Item Name: OpenLDAP Account q (Item Id: 10877) Container Name: AccForTests (Container Id: 197)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - EXPIREDTODAY",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10877,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "OpenLDAP Account q",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 1,
+    "SourceUserName": "ThycoticSystem",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "AccForTests",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "ThycoticSystem",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:00:09.71Z",
+    "ReceiptTime": "Sep 02 2020 12:00:00",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10009,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Expired Today] By User: ThycoticSystem Item Name: Oracle Account (Item Id: 10878) Container Name: AccForTests (Container Id: 197)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - EXPIREDTODAY",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10878,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "Oracle Account",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 1,
+    "SourceUserName": "ThycoticSystem",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "AccForTests",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "ThycoticSystem",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:00:09.743Z",
+    "ReceiptTime": "Sep 02 2020 12:00:00",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10009,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Expired Today] By User: ThycoticSystem Item Name: Password q (Item Id: 10879) Container Name: AccForTests (Container Id: 197)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - EXPIREDTODAY",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10879,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "Password q",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 1,
+    "SourceUserName": "ThycoticSystem",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "AccForTests",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "ThycoticSystem",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:00:09.768Z",
+    "ReceiptTime": "Sep 02 2020 12:00:00",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10009,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Expired Today] By User: ThycoticSystem Item Name: PowerShell Active Directory q (Item Id: 10882) Container Name: AccForTests (Container Id: 197)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - EXPIREDTODAY",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10882,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "PowerShell Active Directory q",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 1,
+    "SourceUserName": "ThycoticSystem",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "AccForTests",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "ThycoticSystem",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:00:09.79Z",
+    "ReceiptTime": "Sep 02 2020 12:00:00",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10009,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Expired Today] By User: ThycoticSystem Item Name: SonicWall NSA Web Admin Account q (Item Id: 10888) Container Name: AccForTests (Container Id: 197)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - EXPIREDTODAY",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10888,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "SonicWall NSA Web Admin Account q",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 1,
+    "SourceUserName": "ThycoticSystem",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "AccForTests",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "ThycoticSystem",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:00:09.818Z",
+    "ReceiptTime": "Sep 02 2020 12:00:00",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10009,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Expired Today] By User: ThycoticSystem Item Name: SonicWall NSA Web Local User Account q (Item Id: 10889) Container Name: AccForTests (Container Id: 197)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - EXPIREDTODAY",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10889,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "SonicWall NSA Web Local User Account q",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 1,
+    "SourceUserName": "ThycoticSystem",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "AccForTests",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "ThycoticSystem",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:00:09.852Z",
+    "ReceiptTime": "Sep 02 2020 12:00:00",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10009,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Expired Today] By User: ThycoticSystem Item Name: SQL Server Account q (Item Id: 10890) Container Name: AccForTests (Container Id: 197)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - EXPIREDTODAY",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10890,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "SQL Server Account q",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 1,
+    "SourceUserName": "ThycoticSystem",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "AccForTests",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "ThycoticSystem",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:00:09.886Z",
+    "ReceiptTime": "Sep 02 2020 12:00:00",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10009,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Expired Today] By User: ThycoticSystem Item Name: Sybase Account q (Item Id: 10893) Container Name: AccForTests (Container Id: 197)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - EXPIREDTODAY",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10893,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "Sybase Account q",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 1,
+    "SourceUserName": "ThycoticSystem",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "AccForTests",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "ThycoticSystem",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:00:09.911Z",
+    "ReceiptTime": "Sep 02 2020 12:00:00",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10009,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Expired Today] By User: ThycoticSystem Item Name: VMware ESX/ESXi q (Item Id: 10903) Container Name: AccForTests (Container Id: 197)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - EXPIREDTODAY",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10903,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "VMware ESX/ESXi q",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 1,
+    "SourceUserName": "ThycoticSystem",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "AccForTests",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "ThycoticSystem",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:00:09.939Z",
+    "ReceiptTime": "Sep 02 2020 12:00:00",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10009,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Expired Today] By User: ThycoticSystem Item Name: WatchGuard q (Item Id: 10905) Container Name: AccForTests (Container Id: 197)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - EXPIREDTODAY",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10905,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "WatchGuard q",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 1,
+    "SourceUserName": "ThycoticSystem",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "AccForTests",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "ThycoticSystem",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:00:09.959Z",
+    "ReceiptTime": "Sep 02 2020 12:00:00",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10009,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Expired Today] By User: ThycoticSystem Item Name: 2 permission - view (Item Id: 10931)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - EXPIREDTODAY",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10931,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "2 permission - view",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 1,
+    "SourceUserName": "ThycoticSystem",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "ThycoticSystem",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:00:09.98Z",
+    "ReceiptTime": "Sep 02 2020 12:00:00",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10009,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Expired Today] By User: ThycoticSystem Item Name: tryterureu (Item Id: 10933) Container Name: new folder (Container Id: 231)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - EXPIREDTODAY",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10933,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "tryterureu",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 1,
+    "SourceUserName": "ThycoticSystem",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "new folder",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "ThycoticSystem",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:00:10.026Z",
+    "ReceiptTime": "Sep 02 2020 12:00:00",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10009,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Expired Today] By User: ThycoticSystem Item Name:  herht65i65i (Item Id: 10934) Container Name: Folder1 (Container Id: 260)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - EXPIREDTODAY",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10934,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "herht65i65i",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 1,
+    "SourceUserName": "ThycoticSystem",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "Folder1",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "ThycoticSystem",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:00:10.047Z",
+    "ReceiptTime": "Sep 02 2020 12:00:00",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10009,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Expired Today] By User: ThycoticSystem Item Name: vhh (Item Id: 10938) Container Name: sub-folder1 (Container Id: 218)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - EXPIREDTODAY",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10938,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "vhh",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 1,
+    "SourceUserName": "ThycoticSystem",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "sub-folder1",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "ThycoticSystem",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:00:10.073Z",
+    "ReceiptTime": "Sep 02 2020 12:00:00",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10009,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Expired Today] By User: ThycoticSystem Item Name: ifufuguvuvuv (Item Id: 10939)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - EXPIREDTODAY",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10939,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "ifufuguvuvuv",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 1,
+    "SourceUserName": "ThycoticSystem",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "ThycoticSystem",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:00:10.091Z",
+    "ReceiptTime": "Sep 02 2020 12:00:00",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10009,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Expired Today] By User: ThycoticSystem Item Name: shsbksbs (Item Id: 10940)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - EXPIREDTODAY",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10940,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "shsbksbs",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 1,
+    "SourceUserName": "ThycoticSystem",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "ThycoticSystem",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:00:10.105Z",
+    "ReceiptTime": "Sep 02 2020 12:00:00",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10009,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Expired Today] By User: ThycoticSystem Item Name: khoateating dkdn (Item Id: 10942)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - EXPIREDTODAY",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10942,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "khoateating dkdn",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 1,
+    "SourceUserName": "ThycoticSystem",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "ThycoticSystem",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:00:10.137Z",
+    "ReceiptTime": "Sep 02 2020 12:00:00",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10009,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Expired Today] By User: ThycoticSystem Item Name: hjjbccch (Item Id: 10943)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - EXPIREDTODAY",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10943,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "hjjbccch",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 1,
+    "SourceUserName": "ThycoticSystem",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "ThycoticSystem",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:00:10.217Z",
+    "ReceiptTime": "Sep 02 2020 12:00:00",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10010,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Expires in 1 Day] By User: ThycoticSystem Item Name: 1 permission - owner for testing (Item Id: 10945) Container Name: valid secrets (Container Id: 196)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - EXPIRES01DAY",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10945,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "1 permission - owner for testing",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 1,
+    "SourceUserName": "ThycoticSystem",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "valid secrets",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "ThycoticSystem",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:00:10.251Z",
+    "ReceiptTime": "Sep 02 2020 12:00:00",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10010,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Expires in 1 Day] By User: ThycoticSystem Item Name: Active Directory test (Item Id: 10950) Container Name: Folder1 (Container Id: 260)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - EXPIRES01DAY",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10950,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "Active Directory test",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 1,
+    "SourceUserName": "ThycoticSystem",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "Folder1",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "ThycoticSystem",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:00:10.282Z",
+    "ReceiptTime": "Sep 02 2020 12:00:00",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10010,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Expires in 1 Day] By User: ThycoticSystem Item Name:  Secret test (Item Id: 10952) Container Name: Folder1 (Container Id: 260)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - EXPIRES01DAY",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10952,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "Secret test",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 1,
+    "SourceUserName": "ThycoticSystem",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "Folder1",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "ThycoticSystem",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:00:10.303Z",
+    "ReceiptTime": "Sep 02 2020 12:00:00",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10013,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Expires in 3 Days] By User: ThycoticSystem Item Name: andy33 (Item Id: 10377) Container Name: Max (Container Id: 25)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - EXPIRES03DAYS",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10377,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "andy33",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 1,
+    "SourceUserName": "ThycoticSystem",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "Max",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "ThycoticSystem",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:00:10.354Z",
+    "ReceiptTime": "Sep 02 2020 12:00:00",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10013,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Expires in 3 Days] By User: ThycoticSystem Item Name:  CiscoVpn2 (Item Id: 10932) Container Name: Folder1 (Container Id: 260)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - EXPIRES03DAYS",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10932,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "CiscoVpn2",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 1,
+    "SourceUserName": "ThycoticSystem",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "Folder1",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "ThycoticSystem",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:00:10.385Z",
+    "ReceiptTime": "Sep 02 2020 12:00:00",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10013,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Expires in 3 Days] By User: ThycoticSystem Item Name: guj (Item Id: 10955)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - EXPIRES03DAYS",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10955,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "guj",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 1,
+    "SourceUserName": "ThycoticSystem",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "ThycoticSystem",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:00:10.402Z",
+    "ReceiptTime": "Sep 02 2020 12:00:00",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10013,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Expires in 3 Days] By User: ThycoticSystem Item Name: dhfdshfd (Item Id: 10956)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - EXPIRES03DAYS",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10956,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "dhfdshfd",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 1,
+    "SourceUserName": "ThycoticSystem",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "ThycoticSystem",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:00:10.441Z",
+    "ReceiptTime": "Sep 02 2020 12:00:00",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10013,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Expires in 3 Days] By User: ThycoticSystem Item Name: ghbj (Item Id: 10957)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - EXPIRES03DAYS",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10957,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "ghbj",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 1,
+    "SourceUserName": "ThycoticSystem",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "ThycoticSystem",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:00:10.479Z",
+    "ReceiptTime": "Sep 02 2020 12:00:00",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10013,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Expires in 3 Days] By User: ThycoticSystem Item Name: secret name warner (Item Id: 10959) Container Name: .  (Container Id: 71)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - EXPIRES03DAYS",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10959,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "secret name warner",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 1,
+    "SourceUserName": "ThycoticSystem",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": ".",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "ThycoticSystem",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:00:10.51Z",
+    "ReceiptTime": "Sep 02 2020 12:00:00",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10011,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Expires in 7 Days] By User: ThycoticSystem Item Name: testing (Item Id: 10973)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - EXPIRES07DAYS",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10973,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "testing",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 1,
+    "SourceUserName": "ThycoticSystem",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "ThycoticSystem",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:00:10.541Z",
+    "ReceiptTime": "Sep 02 2020 12:00:00",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10011,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Expires in 7 Days] By User: ThycoticSystem Item Name: dgfdgdfg (Item Id: 10974) Container Name: ZOleg (Container Id: 45)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - EXPIRES07DAYS",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10974,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "dgfdgdfg",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 1,
+    "SourceUserName": "ThycoticSystem",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "ZOleg",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "ThycoticSystem",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:00:10.579Z",
+    "ReceiptTime": "Sep 02 2020 12:00:00",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10011,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Expires in 7 Days] By User: ThycoticSystem Item Name: gh (Item Id: 10975) Container Name: AccForTests (Container Id: 197)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - EXPIRES07DAYS",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10975,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "gh",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 1,
+    "SourceUserName": "ThycoticSystem",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "AccForTests",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "ThycoticSystem",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:00:10.6Z",
+    "ReceiptTime": "Sep 02 2020 12:00:00",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10012,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Expires in 15 Days] By User: ThycoticSystem Item Name: test (Item Id: 11030)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - EXPIRES15DAYS",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 11030,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "test",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 1,
+    "SourceUserName": "ThycoticSystem",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "ThycoticSystem",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:00:10.621Z",
+    "ReceiptTime": "Sep 02 2020 12:00:00",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10012,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Expires in 15 Days] By User: ThycoticSystem Item Name: gij (Item Id: 11031)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - EXPIRES15DAYS",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 11031,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "gij",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 1,
+    "SourceUserName": "ThycoticSystem",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "ThycoticSystem",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:00:10.65Z",
+    "ReceiptTime": "Sep 02 2020 12:00:00",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10012,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Expires in 15 Days] By User: ThycoticSystem Item Name: d (Item Id: 11033)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - EXPIRES15DAYS",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 11033,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "d",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 1,
+    "SourceUserName": "ThycoticSystem",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "ThycoticSystem",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:00:10.667Z",
+    "ReceiptTime": "Sep 02 2020 12:00:00",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10012,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Expires in 15 Days] By User: ThycoticSystem Item Name: Enter (Item Id: 11034)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - EXPIRES15DAYS",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 11034,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "Enter",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 1,
+    "SourceUserName": "ThycoticSystem",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "ThycoticSystem",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:00:10.705Z",
+    "ReceiptTime": "Sep 02 2020 12:00:00",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10094,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Expires in 30 Days] By User: ThycoticSystem Item Name: 2 (Item Id: 10342) Container Name: Max (Container Id: 25)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - EXPIRES30DAYS",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10342,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": 2,
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 1,
+    "SourceUserName": "ThycoticSystem",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "Max",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "ThycoticSystem",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:00:10.724Z",
+    "ReceiptTime": "Sep 02 2020 12:00:00",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10094,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Expires in 30 Days] By User: ThycoticSystem Item Name:    dhfdshfdsh (Item Id: 11099) Container Name: Folder3s23xyjyh (Container Id: 265)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - EXPIRES30DAYS",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 11099,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "dhfdshfdsh",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 1,
+    "SourceUserName": "ThycoticSystem",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "Folder3s23xyjyh",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "ThycoticSystem",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:00:10.762Z",
+    "ReceiptTime": "Sep 02 2020 12:00:00",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10094,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Expires in 30 Days] By User: ThycoticSystem Item Name:     ktukuytk (Item Id: 11100) Container Name: Folder3s23xyjyh (Container Id: 265)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - EXPIRES30DAYS",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 11100,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "ktukuytk",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 1,
+    "SourceUserName": "ThycoticSystem",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "Folder3s23xyjyh",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "ThycoticSystem",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:38:39.303Z",
+    "ReceiptTime": "Sep 02 2020 12:38:31",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: max Item Name: max (Item Id: 4)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 4,
+    "DestinationUserName": "max",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 4,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "max",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 4,
+    "SourceUserName": "max",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "Max",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:38:49.405Z",
+    "ReceiptTime": "Sep 02 2020 12:38:47",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: Ibrahim1 Item Name: Ibrahim1 (Item Id: 22)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 22,
+    "DestinationUserName": "Ibrahim1",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 22,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "Ibrahim1",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 22,
+    "SourceUserName": "Ibrahim1",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "AIbrahim",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:38:59.324Z",
+    "ReceiptTime": "Sep 02 2020 12:38:55",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10039,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Password Displayed] By User: max Item Name: RDP + SSH PROXY (Item Id: 11022) Container Name: RDP (Container Id: 32) Details:  Fields: (Password)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - PASSWORD_DISPLAYED",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 11022,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "RDP + SSH PROXY",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 4,
+    "SourceUserName": "max",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "RDP",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "Max",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:39:09.268Z",
+    "ReceiptTime": "Sep 02 2020 12:39:03",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10006,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Launch] By User: max Item Name: RDP + SSH PROXY (Item Id: 11022) Container Name: RDP (Container Id: 32) Details:  Remote Desktop - test",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - LAUNCH",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 11022,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "RDP + SSH PROXY",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 4,
+    "SourceUserName": "max",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "RDP",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "Max",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:39:09.287Z",
+    "ReceiptTime": "Sep 02 2020 12:39:07",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: Ibrahim1 Item Name: Ibrahim1 (Item Id: 22)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 22,
+    "DestinationUserName": "Ibrahim1",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 22,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "Ibrahim1",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 22,
+    "SourceUserName": "Ibrahim1",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "AIbrahim",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:39:09.314Z",
+    "ReceiptTime": "Sep 02 2020 12:39:07",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: Ibrahim1 Item Name: Ibrahim1 (Item Id: 22)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 22,
+    "DestinationUserName": "Ibrahim1",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 22,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "Ibrahim1",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 22,
+    "SourceUserName": "Ibrahim1",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "AIbrahim",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:39:29.264Z",
+    "ReceiptTime": "Sep 02 2020 12:39:26",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10004,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [View] By User: Ibrahim1 Item Name:    khgk (Item Id: 11097) Container Name: Folder3s23xyjyh (Container Id: 265)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - VIEW",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 11097,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "khgk",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 22,
+    "SourceUserName": "Ibrahim1",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "Folder3s23xyjyh",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "AIbrahim",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:39:29.299Z",
+    "ReceiptTime": "Sep 02 2020 12:39:26",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10039,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Password Displayed] By User: Ibrahim1 Item Name:    khgk (Item Id: 11097) Container Name: Folder3s23xyjyh (Container Id: 265) Details:  Fields: (Password)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - PASSWORD_DISPLAYED",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 11097,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "khgk",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 22,
+    "SourceUserName": "Ibrahim1",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "Folder3s23xyjyh",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "AIbrahim",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:39:39.148Z",
+    "ReceiptTime": "Sep 02 2020 12:39:31",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10004,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [View] By User: Ibrahim1 Item Name:    rujytrjuyt (Item Id: 11096) Container Name: Folder3s23xyjyh (Container Id: 265)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - VIEW",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 11096,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "rujytrjuyt",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 22,
+    "SourceUserName": "Ibrahim1",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "Folder3s23xyjyh",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "AIbrahim",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:39:39.184Z",
+    "ReceiptTime": "Sep 02 2020 12:39:31",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10039,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Password Displayed] By User: Ibrahim1 Item Name:    rujytrjuyt (Item Id: 11096) Container Name: Folder3s23xyjyh (Container Id: 265) Details:  Fields: (Password)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - PASSWORD_DISPLAYED",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 11096,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "rujytrjuyt",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 22,
+    "SourceUserName": "Ibrahim1",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "Folder3s23xyjyh",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "AIbrahim",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:40:19.245Z",
+    "ReceiptTime": "Sep 02 2020 12:40:12",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10004,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [View] By User: max Item Name: RDP Proxy (Item Id: 10349) Container Name: RDP (Container Id: 32)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - VIEW",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10349,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "RDP Proxy",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 4,
+    "SourceUserName": "max",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "RDP",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "Max",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:40:19.286Z",
+    "ReceiptTime": "Sep 02 2020 12:40:12",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10039,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Password Displayed] By User: max Item Name: RDP Proxy (Item Id: 10349) Container Name: RDP (Container Id: 32) Details:  Fields: (Password)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - PASSWORD_DISPLAYED",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10349,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "RDP Proxy",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 4,
+    "SourceUserName": "max",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "RDP",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "Max",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:40:19.319Z",
+    "ReceiptTime": "Sep 02 2020 12:40:17",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10006,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Launch] By User: max Item Name: RDP Proxy (Item Id: 10349) Container Name: RDP (Container Id: 32) Details:  Remote Desktop",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - LAUNCH",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10349,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "RDP Proxy",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 4,
+    "SourceUserName": "max",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "RDP",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "Max",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:40:29.26Z",
+    "ReceiptTime": "Sep 02 2020 12:40:25",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10004,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [View] By User: Ibrahim1 Item Name:     ktukuytk (Item Id: 11100) Container Name: Folder3s23xyjyh (Container Id: 265)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - VIEW",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 11100,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "ktukuytk",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 22,
+    "SourceUserName": "Ibrahim1",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "Folder3s23xyjyh",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "AIbrahim",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:40:29.317Z",
+    "ReceiptTime": "Sep 02 2020 12:40:25",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10039,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Password Displayed] By User: Ibrahim1 Item Name:     ktukuytk (Item Id: 11100) Container Name: Folder3s23xyjyh (Container Id: 265) Details:  Fields: (Password)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - PASSWORD_DISPLAYED",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 11100,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "ktukuytk",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 22,
+    "SourceUserName": "Ibrahim1",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "Folder3s23xyjyh",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "AIbrahim",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:40:29.352Z",
+    "ReceiptTime": "Sep 02 2020 12:40:26",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10004,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [View] By User: max Item Name: RDP (1920x1080) (Item Id: 10325) Container Name: RDP (Container Id: 32)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - VIEW",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10325,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "RDP (1920x1080)",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 4,
+    "SourceUserName": "max",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "RDP",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "Max",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:40:29.396Z",
+    "ReceiptTime": "Sep 02 2020 12:40:26",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10039,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Password Displayed] By User: max Item Name: RDP (1920x1080) (Item Id: 10325) Container Name: RDP (Container Id: 32) Details:  Fields: (Password)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - PASSWORD_DISPLAYED",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10325,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "RDP (1920x1080)",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 4,
+    "SourceUserName": "max",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "RDP",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "Max",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:40:39.296Z",
+    "ReceiptTime": "Sep 02 2020 12:40:30",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10006,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Launch] By User: max Item Name: RDP (1920x1080) (Item Id: 10325) Container Name: RDP (Container Id: 32) Details:  Remote Desktop",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - LAUNCH",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10325,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "RDP (1920x1080)",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 4,
+    "SourceUserName": "max",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "RDP",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "Max",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:40:59.134Z",
+    "ReceiptTime": "Sep 02 2020 12:40:50",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10019,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Session Recording View] By User: ThycoticSystem Item Name: RDP (1920x1080) (Item Id: 10325) Container Name: RDP (Container Id: 32) Details:  Session Recording (0:00) on 09/02/2020 12:40 PM by Max",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - SESSION RECORDING VIEW",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10325,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "RDP (1920x1080)",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 1,
+    "SourceUserName": "ThycoticSystem",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "RDP",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "ThycoticSystem",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:40:59.152Z",
+    "ReceiptTime": "Sep 02 2020 12:40:52",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10006,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Launch] By User: max Item Name: RDP (1920x1080) (Item Id: 10325) Container Name: RDP (Container Id: 32) Details:  Remote Desktop",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - LAUNCH",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10325,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "RDP (1920x1080)",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 4,
+    "SourceUserName": "max",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "RDP",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "Max",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:48:29.154Z",
+    "ReceiptTime": "Sep 02 2020 12:48:26",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10004,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [View] By User: Ibrahim1 Item Name:     ktukuytk (Item Id: 11100) Container Name: Folder3s23xyjyh (Container Id: 265)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - VIEW",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 11100,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "ktukuytk",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 22,
+    "SourceUserName": "Ibrahim1",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "Folder3s23xyjyh",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "AIbrahim",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:48:29.188Z",
+    "ReceiptTime": "Sep 02 2020 12:48:26",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10039,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Password Displayed] By User: Ibrahim1 Item Name:     ktukuytk (Item Id: 11100) Container Name: Folder3s23xyjyh (Container Id: 265) Details:  Fields: (Password)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - PASSWORD_DISPLAYED",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 11100,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "ktukuytk",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 22,
+    "SourceUserName": "Ibrahim1",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "Folder3s23xyjyh",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "AIbrahim",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:49:19.583Z",
+    "ReceiptTime": "Sep 02 2020 12:49:15",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: Ibrahim1 Item Name: Ibrahim1 (Item Id: 22)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 22,
+    "DestinationUserName": "Ibrahim1",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 22,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "Ibrahim1",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 22,
+    "SourceUserName": "Ibrahim1",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "AIbrahim",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:50:39.231Z",
+    "ReceiptTime": "Sep 02 2020 12:50:31",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: Ibrahim1 Item Name: Ibrahim1 (Item Id: 22)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 22,
+    "DestinationUserName": "Ibrahim1",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 22,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "Ibrahim1",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 22,
+    "SourceUserName": "Ibrahim1",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "AIbrahim",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:53:39.182Z",
+    "ReceiptTime": "Sep 02 2020 12:53:34",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10004,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [View] By User: Ibrahim1 Item Name:     ktukuytk (Item Id: 11100) Container Name: Folder3s23xyjyh (Container Id: 265)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - VIEW",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 11100,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "ktukuytk",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 22,
+    "SourceUserName": "Ibrahim1",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "Folder3s23xyjyh",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "AIbrahim",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:53:39.216Z",
+    "ReceiptTime": "Sep 02 2020 12:53:34",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10039,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Password Displayed] By User: Ibrahim1 Item Name:     ktukuytk (Item Id: 11100) Container Name: Folder3s23xyjyh (Container Id: 265) Details:  Fields: (Password)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - PASSWORD_DISPLAYED",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 11100,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "ktukuytk",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 22,
+    "SourceUserName": "Ibrahim1",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "Folder3s23xyjyh",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "AIbrahim",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T12:55:59.144Z",
+    "ReceiptTime": "Sep 02 2020 12:55:50",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10019,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Session Recording View] By User: ThycoticSystem Item Name: RDP (1920x1080) (Item Id: 10325) Container Name: RDP (Container Id: 32) Details:  Session Recording (0:00) on 09/02/2020 12:40 PM by Max",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - SESSION RECORDING VIEW",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10325,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "RDP (1920x1080)",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 1,
+    "SourceUserName": "ThycoticSystem",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "RDP",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "ThycoticSystem",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T13:06:09.162Z",
+    "ReceiptTime": "Sep 02 2020 13:06:09",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10004,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [View] By User: max Item Name: RDP (no custom window size) (Item Id: 10473) Container Name: RDP (Container Id: 32)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - VIEW",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10473,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "RDP (no custom window size)",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 4,
+    "SourceUserName": "max",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "RDP",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "Max",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T13:06:19.157Z",
+    "ReceiptTime": "Sep 02 2020 13:06:13",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10006,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Launch] By User: max Item Name: RDP (no custom window size) (Item Id: 10473) Container Name: RDP (Container Id: 32) Details:  Remote Desktop",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - LAUNCH",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10473,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "RDP (no custom window size)",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 4,
+    "SourceUserName": "max",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "RDP",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "Max",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T09:54:49.395Z",
+    "ReceiptTime": "Sep 02 2020 09:54:47",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: Ibrahim1 Item Name: Ibrahim1 (Item Id: 22)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 22,
+    "DestinationUserName": "Ibrahim1",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 22,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "Ibrahim1",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 22,
+    "SourceUserName": "Ibrahim1",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "AIbrahim",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T09:54:59.151Z",
+    "ReceiptTime": "Sep 02 2020 09:54:55",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10004,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [View] By User: Ibrahim1 Item Name:     ktukuytk (Item Id: 11100) Container Name: Folder3s23xyjyh (Container Id: 265)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - VIEW",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 11100,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "ktukuytk",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 22,
+    "SourceUserName": "Ibrahim1",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "Folder3s23xyjyh",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "AIbrahim",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T09:54:59.185Z",
+    "ReceiptTime": "Sep 02 2020 09:54:55",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10039,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Password Displayed] By User: Ibrahim1 Item Name:     ktukuytk (Item Id: 11100) Container Name: Folder3s23xyjyh (Container Id: 265) Details:  Fields: (Password)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - PASSWORD_DISPLAYED",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 11100,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "ktukuytk",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 22,
+    "SourceUserName": "Ibrahim1",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "Folder3s23xyjyh",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "AIbrahim",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T09:58:09.263Z",
+    "ReceiptTime": "Sep 02 2020 09:58:01",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: oleg1 Item Name: oleg1 (Item Id: 11)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "93.74.172.249",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 11,
+    "DestinationUserName": "oleg1",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 11,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "oleg1",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 11,
+    "SourceUserName": "oleg1",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "ZOleg",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T09:58:09.284Z",
+    "ReceiptTime": "Sep 02 2020 09:58:07",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: Ibrahim1 Item Name: Ibrahim1 (Item Id: 22)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 22,
+    "DestinationUserName": "Ibrahim1",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 22,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "Ibrahim1",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 22,
+    "SourceUserName": "Ibrahim1",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "AIbrahim",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T10:07:39.235Z",
+    "ReceiptTime": "Sep 02 2020 10:07:30",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: max Item Name: max (Item Id: 4)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 4,
+    "DestinationUserName": "max",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 4,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "max",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 4,
+    "SourceUserName": "max",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "Max",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T10:08:09.206Z",
+    "ReceiptTime": "Sep 02 2020 10:08:06",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: oleg1 Item Name: oleg1 (Item Id: 11)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "93.74.172.249",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 11,
+    "DestinationUserName": "oleg1",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 11,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "oleg1",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 11,
+    "SourceUserName": "oleg1",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "ZOleg",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T10:08:19.228Z",
+    "ReceiptTime": "Sep 02 2020 10:08:11",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: Ibrahim1 Item Name: Ibrahim1 (Item Id: 22)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 22,
+    "DestinationUserName": "Ibrahim1",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 22,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "Ibrahim1",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 22,
+    "SourceUserName": "Ibrahim1",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "AIbrahim",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T10:38:19.312Z",
+    "ReceiptTime": "Sep 02 2020 10:38:18",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: oleg1 Item Name: oleg1 (Item Id: 11)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "93.74.172.249",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 11,
+    "DestinationUserName": "oleg1",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 11,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "oleg1",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 11,
+    "SourceUserName": "oleg1",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "ZOleg",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T10:38:29.306Z",
+    "ReceiptTime": "Sep 02 2020 10:38:22",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: Ibrahim1 Item Name: Ibrahim1 (Item Id: 22)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 22,
+    "DestinationUserName": "Ibrahim1",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 22,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "Ibrahim1",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 22,
+    "SourceUserName": "Ibrahim1",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "AIbrahim",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T10:38:39.328Z",
+    "ReceiptTime": "Sep 02 2020 10:38:34",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: max Item Name: max (Item Id: 4)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 4,
+    "DestinationUserName": "max",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 4,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "max",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 4,
+    "SourceUserName": "max",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "Max",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T10:40:09.183Z",
+    "ReceiptTime": "Sep 02 2020 10:40:07",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10004,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [View] By User: max Item Name: W1\\W1 (Item Id: 10390) Container Name: Max (Container Id: 25)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - VIEW",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10390,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "W1\\W1",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 4,
+    "SourceUserName": "max",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "Max",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "Max",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T10:40:09.376Z",
+    "ReceiptTime": "Sep 02 2020 10:40:07",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10039,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Password Displayed] By User: max Item Name: W1\\W1 (Item Id: 10390) Container Name: Max (Container Id: 25) Details:  Fields: (Password)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - PASSWORD_DISPLAYED",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10390,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "W1\\W1",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 4,
+    "SourceUserName": "max",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "Max",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "Max",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T10:41:49.28Z",
+    "ReceiptTime": "Sep 02 2020 10:41:43",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: dima1 Item Name: dima1 (Item Id: 17)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "188.163.82.22",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 17,
+    "DestinationUserName": "dima1",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 17,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "dima1",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 17,
+    "SourceUserName": "dima1",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "Murzak Dmitriy",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T10:41:49.303Z",
+    "ReceiptTime": "Sep 02 2020 10:41:43",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: AppAccount Item Name: AppAccount (Item Id: 10)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 10,
+    "DestinationUserName": "AppAccount",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "AppAccount",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 10,
+    "SourceUserName": "AppAccount",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "AppAccount",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T10:41:49.331Z",
+    "ReceiptTime": "Sep 02 2020 10:41:43",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: dima1 Item Name: dima1 (Item Id: 17)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "188.163.82.22",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 17,
+    "DestinationUserName": "dima1",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 17,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "dima1",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 17,
+    "SourceUserName": "dima1",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "Murzak Dmitriy",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T10:41:49.36Z",
+    "ReceiptTime": "Sep 02 2020 10:41:43",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10004,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [View] By User: AppAccount Item Name: 2 (Item Id: 10342) Container Name: Max (Container Id: 25)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - VIEW",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10342,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": 2,
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 10,
+    "SourceUserName": "AppAccount",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "Max",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "AppAccount",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T10:41:49.424Z",
+    "ReceiptTime": "Sep 02 2020 10:41:43",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10039,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Password Displayed] By User: AppAccount Item Name: 2 (Item Id: 10342) Container Name: Max (Container Id: 25) Details:  Fields: (Password)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - PASSWORD_DISPLAYED",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10342,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": 2,
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 10,
+    "SourceUserName": "AppAccount",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "Max",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "AppAccount",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T10:42:19.259Z",
+    "ReceiptTime": "Sep 02 2020 10:42:12",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: max Item Name: max (Item Id: 4)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 4,
+    "DestinationUserName": "max",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 4,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "max",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 4,
+    "SourceUserName": "max",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "Max",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T10:43:39.213Z",
+    "ReceiptTime": "Sep 02 2020 10:43:35",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: AppAccount Item Name: AppAccount (Item Id: 10)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 10,
+    "DestinationUserName": "AppAccount",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "AppAccount",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 10,
+    "SourceUserName": "AppAccount",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "AppAccount",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T10:44:39.256Z",
+    "ReceiptTime": "Sep 02 2020 10:44:31",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: AppAccount Item Name: AppAccount (Item Id: 10)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 10,
+    "DestinationUserName": "AppAccount",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "AppAccount",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 10,
+    "SourceUserName": "AppAccount",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "AppAccount",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T10:44:39.276Z",
+    "ReceiptTime": "Sep 02 2020 10:44:31",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10004,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [View] By User: AppAccount Item Name: TestADSecret (Item Id: 10340) Container Name: Max (Container Id: 25)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - VIEW",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10340,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "TestADSecret",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 10,
+    "SourceUserName": "AppAccount",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "Max",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "AppAccount",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T10:44:39.346Z",
+    "ReceiptTime": "Sep 02 2020 10:44:32",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10039,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Password Displayed] By User: AppAccount Item Name: TestADSecret (Item Id: 10340) Container Name: Max (Container Id: 25) Details:  Fields: (Password)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - PASSWORD_DISPLAYED",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10340,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "TestADSecret",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 10,
+    "SourceUserName": "AppAccount",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "Max",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "AppAccount",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T10:44:49.177Z",
+    "ReceiptTime": "Sep 02 2020 10:44:40",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10004,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [View] By User: max Item Name: TestADSecret (Item Id: 10340) Container Name: Max (Container Id: 25)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - VIEW",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10340,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "TestADSecret",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 4,
+    "SourceUserName": "max",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "Max",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "Max",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T10:44:59.175Z",
+    "ReceiptTime": "Sep 02 2020 10:44:51",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10004,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [View] By User: max Item Name: 2 (Item Id: 10342) Container Name: Max (Container Id: 25)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - VIEW",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10342,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": 2,
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 4,
+    "SourceUserName": "max",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "Max",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "Max",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T10:45:09.216Z",
+    "ReceiptTime": "Sep 02 2020 10:45:01",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: Ibrahim1 Item Name: Ibrahim1 (Item Id: 22)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 22,
+    "DestinationUserName": "Ibrahim1",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 22,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "Ibrahim1",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 22,
+    "SourceUserName": "Ibrahim1",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "AIbrahim",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T10:45:29.302Z",
+    "ReceiptTime": "Sep 02 2020 10:45:21",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: AppAccount Item Name: AppAccount (Item Id: 10)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 10,
+    "DestinationUserName": "AppAccount",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "AppAccount",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 10,
+    "SourceUserName": "AppAccount",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "AppAccount",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T10:10:39.209Z",
+    "ReceiptTime": "Sep 02 2020 10:10:37",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: dima1 Item Name: dima1 (Item Id: 17)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "188.163.82.22",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 17,
+    "DestinationUserName": "dima1",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 17,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "dima1",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 17,
+    "SourceUserName": "dima1",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "Murzak Dmitriy",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T10:10:39.231Z",
+    "ReceiptTime": "Sep 02 2020 10:10:37",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: dima1 Item Name: dima1 (Item Id: 17)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "188.163.82.22",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 17,
+    "DestinationUserName": "dima1",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 17,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "dima1",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 17,
+    "SourceUserName": "dima1",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "Murzak Dmitriy",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T10:10:59.451Z",
+    "ReceiptTime": "Sep 02 2020 10:10:50",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10145,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Domain] Action: [Synchronize] By User: ThycoticSystem Details:  Active Directory Sync Initiated",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "DOMAIN - SYNCHRONIZE",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": "",
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "",
+    "FileName": "",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 1,
+    "SourceUserName": "ThycoticSystem",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "ThycoticSystem",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T10:14:49.27Z",
+    "ReceiptTime": "Sep 02 2020 10:14:48",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: Ibrahim1 Item Name: Ibrahim1 (Item Id: 22)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 22,
+    "DestinationUserName": "Ibrahim1",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 22,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "Ibrahim1",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 22,
+    "SourceUserName": "Ibrahim1",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "AIbrahim",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T10:18:19.219Z",
+    "ReceiptTime": "Sep 02 2020 10:18:10",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: oleg1 Item Name: oleg1 (Item Id: 11)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "93.74.172.249",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 11,
+    "DestinationUserName": "oleg1",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 11,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "oleg1",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 11,
+    "SourceUserName": "oleg1",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "ZOleg",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T10:18:19.237Z",
+    "ReceiptTime": "Sep 02 2020 10:18:15",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: Ibrahim1 Item Name: Ibrahim1 (Item Id: 22)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 22,
+    "DestinationUserName": "Ibrahim1",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 22,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "Ibrahim1",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 22,
+    "SourceUserName": "Ibrahim1",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "AIbrahim",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T11:08:19.284Z",
+    "ReceiptTime": "Sep 02 2020 11:08:19",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: testing Item Name: testing (Item Id: 18)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 18,
+    "DestinationUserName": "testing",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 18,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "testing",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 18,
+    "SourceUserName": "testing",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "AccForTests",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T11:08:39.219Z",
+    "ReceiptTime": "Sep 02 2020 11:08:34",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: Ibrahim1 Item Name: Ibrahim1 (Item Id: 22)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 22,
+    "DestinationUserName": "Ibrahim1",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 22,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "Ibrahim1",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 22,
+    "SourceUserName": "Ibrahim1",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "AIbrahim",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T11:09:39.149Z",
+    "ReceiptTime": "Sep 02 2020 11:09:35",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10006,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Launch] By User: max Item Name: RDP Proxy (Item Id: 10349) Container Name: RDP (Container Id: 32) Details:  Remote Desktop",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - LAUNCH",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10349,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "RDP Proxy",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 4,
+    "SourceUserName": "max",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "RDP",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "Max",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T11:11:09.17Z",
+    "ReceiptTime": "Sep 02 2020 11:11:07",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10004,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [View] By User: max Item Name: RDPproxyTEST (Item Id: 10348) Container Name: RDP (Container Id: 32)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - VIEW",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10348,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "RDPproxyTEST",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 4,
+    "SourceUserName": "max",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "RDP",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "Max",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T11:11:19.155Z",
+    "ReceiptTime": "Sep 02 2020 11:11:11",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10004,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [View] By User: max Item Name: RDP Proxy (Item Id: 10349) Container Name: RDP (Container Id: 32)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - VIEW",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10349,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "RDP Proxy",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 4,
+    "SourceUserName": "max",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "RDP",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "Max",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T11:11:19.201Z",
+    "ReceiptTime": "Sep 02 2020 11:11:13",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10006,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Launch] By User: max Item Name: RDP Proxy (Item Id: 10349) Container Name: RDP (Container Id: 32) Details:  Remote Desktop",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - LAUNCH",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10349,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "RDP Proxy",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 4,
+    "SourceUserName": "max",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "RDP",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "Max",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T11:11:49.189Z",
+    "ReceiptTime": "Sep 02 2020 11:11:45",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10006,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Launch] By User: max Item Name: RDP Proxy (Item Id: 10349) Container Name: RDP (Container Id: 32) Details:  Remote Desktop",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - LAUNCH",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10349,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "RDP Proxy",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 4,
+    "SourceUserName": "max",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "RDP",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "Max",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T11:13:19.151Z",
+    "ReceiptTime": "Sep 02 2020 11:13:14",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10006,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Launch] By User: max Item Name: RDP Proxy (Item Id: 10349) Container Name: RDP (Container Id: 32) Details:  Remote Desktop",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - LAUNCH",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10349,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "RDP Proxy",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 4,
+    "SourceUserName": "max",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "RDP",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "Max",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T11:15:09.154Z",
+    "ReceiptTime": "Sep 02 2020 11:15:00",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10006,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Launch] By User: max Item Name: RDP Proxy (Item Id: 10349) Container Name: RDP (Container Id: 32) Details:  Remote Desktop",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - LAUNCH",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10349,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "RDP Proxy",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 4,
+    "SourceUserName": "max",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "RDP",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "Max",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T11:15:19.206Z",
+    "ReceiptTime": "Sep 02 2020 11:15:13",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: Ibrahim1 Item Name: Ibrahim1 (Item Id: 22)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 22,
+    "DestinationUserName": "Ibrahim1",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 22,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "Ibrahim1",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 22,
+    "SourceUserName": "Ibrahim1",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "AIbrahim",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T11:15:59.237Z",
+    "ReceiptTime": "Sep 02 2020 11:15:49",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10145,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Domain] Action: [Synchronize] By User: ThycoticSystem Details:  Active Directory Sync Initiated",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "DOMAIN - SYNCHRONIZE",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": "",
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "",
+    "FileName": "",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 1,
+    "SourceUserName": "ThycoticSystem",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "ThycoticSystem",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T11:15:59.251Z",
+    "ReceiptTime": "Sep 02 2020 11:15:52",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10019,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Session Recording View] By User: ThycoticSystem Item Name: RDP Proxy (Item Id: 10349) Container Name: RDP (Container Id: 32) Details:  Session Recording (0:00) on 09/02/2020 09:13 AM by Max",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - SESSION RECORDING VIEW",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10349,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "RDP Proxy",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 1,
+    "SourceUserName": "ThycoticSystem",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "RDP",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "ThycoticSystem",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T11:17:09.175Z",
+    "ReceiptTime": "Sep 02 2020 11:17:08",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10006,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Launch] By User: max Item Name: RDP Proxy (Item Id: 10349) Container Name: RDP (Container Id: 32) Details:  Remote Desktop",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - LAUNCH",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10349,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "RDP Proxy",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 4,
+    "SourceUserName": "max",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "RDP",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "Max",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T11:17:39.146Z",
+    "ReceiptTime": "Sep 02 2020 11:17:33",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10004,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [View] By User: max Item Name: RDP Proxy (Item Id: 10349) Container Name: RDP (Container Id: 32)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - VIEW",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10349,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "RDP Proxy",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 4,
+    "SourceUserName": "max",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "RDP",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "Max",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T11:17:39.181Z",
+    "ReceiptTime": "Sep 02 2020 11:17:36",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10006,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Launch] By User: max Item Name: RDP Proxy (Item Id: 10349) Container Name: RDP (Container Id: 32) Details:  Remote Desktop",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - LAUNCH",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10349,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "RDP Proxy",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 4,
+    "SourceUserName": "max",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "RDP",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "Max",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T11:18:29.171Z",
+    "ReceiptTime": "Sep 02 2020 11:18:26",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10006,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Launch] By User: max Item Name: RDP Proxy (Item Id: 10349) Container Name: RDP (Container Id: 32) Details:  Remote Desktop",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - LAUNCH",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10349,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "RDP Proxy",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 4,
+    "SourceUserName": "max",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "RDP",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "Max",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T11:18:39.202Z",
+    "ReceiptTime": "Sep 02 2020 11:18:38",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: Ibrahim1 Item Name: Ibrahim1 (Item Id: 22)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 22,
+    "DestinationUserName": "Ibrahim1",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 22,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "Ibrahim1",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 22,
+    "SourceUserName": "Ibrahim1",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "AIbrahim",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T11:25:19.233Z",
+    "ReceiptTime": "Sep 02 2020 11:25:17",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: Ibrahim1 Item Name: Ibrahim1 (Item Id: 22)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 22,
+    "DestinationUserName": "Ibrahim1",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 22,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "Ibrahim1",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 22,
+    "SourceUserName": "Ibrahim1",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "AIbrahim",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T11:26:09.239Z",
+    "ReceiptTime": "Sep 02 2020 11:26:05",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: dima1 Item Name: dima1 (Item Id: 17)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "188.163.82.22",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 17,
+    "DestinationUserName": "dima1",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 17,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "dima1",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 17,
+    "SourceUserName": "dima1",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "Murzak Dmitriy",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T11:28:49.209Z",
+    "ReceiptTime": "Sep 02 2020 11:28:42",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: Ibrahim1 Item Name: Ibrahim1 (Item Id: 22)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 22,
+    "DestinationUserName": "Ibrahim1",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 22,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "Ibrahim1",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 22,
+    "SourceUserName": "Ibrahim1",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "AIbrahim",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T11:35:29.241Z",
+    "ReceiptTime": "Sep 02 2020 11:35:20",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: Ibrahim1 Item Name: Ibrahim1 (Item Id: 22)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 22,
+    "DestinationUserName": "Ibrahim1",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 22,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "Ibrahim1",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 22,
+    "SourceUserName": "Ibrahim1",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "AIbrahim",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T09:27:59.227Z",
+    "ReceiptTime": "Sep 02 2020 09:27:49",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: oleg1 Item Name: oleg1 (Item Id: 11)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "93.74.172.249",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 11,
+    "DestinationUserName": "oleg1",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 11,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "oleg1",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 11,
+    "SourceUserName": "oleg1",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "ZOleg",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T09:27:59.244Z",
+    "ReceiptTime": "Sep 02 2020 09:27:55",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: Ibrahim1 Item Name: Ibrahim1 (Item Id: 22)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 22,
+    "DestinationUserName": "Ibrahim1",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 22,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "Ibrahim1",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 22,
+    "SourceUserName": "Ibrahim1",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "AIbrahim",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T09:28:09.234Z",
+    "ReceiptTime": "Sep 02 2020 09:28:06",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: dima1 Item Name: dima1 (Item Id: 17)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "188.163.82.22",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 17,
+    "DestinationUserName": "dima1",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 17,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "dima1",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 17,
+    "SourceUserName": "dima1",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "Murzak Dmitriy",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T09:31:19.214Z",
+    "ReceiptTime": "Sep 02 2020 09:31:11",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: max Item Name: max (Item Id: 4)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 4,
+    "DestinationUserName": "max",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 4,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "max",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 4,
+    "SourceUserName": "max",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "Max",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T09:34:29.296Z",
+    "ReceiptTime": "Sep 02 2020 09:34:25",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: max Item Name: max (Item Id: 4)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 4,
+    "DestinationUserName": "max",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 4,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "max",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 4,
+    "SourceUserName": "max",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "Max",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T09:34:49.158Z",
+    "ReceiptTime": "Sep 02 2020 09:34:43",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10004,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [View] By User: max Item Name: W1\\W1 (Item Id: 10390) Container Name: Max (Container Id: 25)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - VIEW",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10390,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "W1\\W1",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 4,
+    "SourceUserName": "max",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "Max",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "Max",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T09:34:49.195Z",
+    "ReceiptTime": "Sep 02 2020 09:34:43",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10039,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Password Displayed] By User: max Item Name: W1\\W1 (Item Id: 10390) Container Name: Max (Container Id: 25) Details:  Fields: (Password)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - PASSWORD_DISPLAYED",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10390,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "W1\\W1",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 4,
+    "SourceUserName": "max",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "Max",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "Max",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T09:36:19.248Z",
+    "ReceiptTime": "Sep 02 2020 09:36:13",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: max Item Name: max (Item Id: 4)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 4,
+    "DestinationUserName": "max",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 4,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "max",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 4,
+    "SourceUserName": "max",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "Max",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T10:48:29.234Z",
+    "ReceiptTime": "Sep 02 2020 10:48:22",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: oleg1 Item Name: oleg1 (Item Id: 11)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "93.74.172.249",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 11,
+    "DestinationUserName": "oleg1",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 11,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "oleg1",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 11,
+    "SourceUserName": "oleg1",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "ZOleg",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T10:48:29.251Z",
+    "ReceiptTime": "Sep 02 2020 10:48:26",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: Ibrahim1 Item Name: Ibrahim1 (Item Id: 22)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 22,
+    "DestinationUserName": "Ibrahim1",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 22,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "Ibrahim1",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 22,
+    "SourceUserName": "Ibrahim1",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "AIbrahim",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T10:55:09.222Z",
+    "ReceiptTime": "Sep 02 2020 10:55:04",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: Ibrahim1 Item Name: Ibrahim1 (Item Id: 22)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 22,
+    "DestinationUserName": "Ibrahim1",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 22,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "Ibrahim1",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 22,
+    "SourceUserName": "Ibrahim1",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "AIbrahim",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T10:58:39.228Z",
+    "ReceiptTime": "Sep 02 2020 10:58:29",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: Ibrahim1 Item Name: Ibrahim1 (Item Id: 22)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 22,
+    "DestinationUserName": "Ibrahim1",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 22,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "Ibrahim1",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 22,
+    "SourceUserName": "Ibrahim1",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "AIbrahim",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T10:58:39.247Z",
+    "ReceiptTime": "Sep 02 2020 10:58:37",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: oleg1 Item Name: oleg1 (Item Id: 11)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "93.74.172.249",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 11,
+    "DestinationUserName": "oleg1",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 11,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "oleg1",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 11,
+    "SourceUserName": "oleg1",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "ZOleg",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T11:04:39.208Z",
+    "ReceiptTime": "Sep 02 2020 11:04:35",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10004,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [View] By User: max Item Name: RDP + SSH PROXY (Item Id: 11022) Container Name: RDP (Container Id: 32)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - VIEW",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 11022,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "RDP + SSH PROXY",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 4,
+    "SourceUserName": "max",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "RDP",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "Max",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T11:04:39.261Z",
+    "ReceiptTime": "Sep 02 2020 11:04:38",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10004,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [View] By User: max Item Name: RDP Proxy (Item Id: 10349) Container Name: RDP (Container Id: 32)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - VIEW",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10349,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "RDP Proxy",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 4,
+    "SourceUserName": "max",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "RDP",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "Max",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T11:04:49.175Z",
+    "ReceiptTime": "Sep 02 2020 11:04:41",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10006,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Launch] By User: max Item Name: RDP Proxy (Item Id: 10349) Container Name: RDP (Container Id: 32) Details:  Remote Desktop",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - LAUNCH",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10349,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "RDP Proxy",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 4,
+    "SourceUserName": "max",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "RDP",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "Max",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T11:05:09.783Z",
+    "ReceiptTime": "Sep 02 2020 11:05:08",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: Ibrahim1 Item Name: Ibrahim1 (Item Id: 22)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 22,
+    "DestinationUserName": "Ibrahim1",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 22,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "Ibrahim1",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 22,
+    "SourceUserName": "Ibrahim1",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "AIbrahim",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T11:05:49.224Z",
+    "ReceiptTime": "Sep 02 2020 11:05:40",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: dima1 Item Name: dima1 (Item Id: 17)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "188.163.82.22",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 17,
+    "DestinationUserName": "dima1",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 17,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "dima1",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 17,
+    "SourceUserName": "dima1",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "Murzak Dmitriy",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T11:05:49.244Z",
+    "ReceiptTime": "Sep 02 2020 11:05:40",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: dima1 Item Name: dima1 (Item Id: 17)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "188.163.82.22",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 17,
+    "DestinationUserName": "dima1",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 17,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "dima1",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 17,
+    "SourceUserName": "dima1",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "Murzak Dmitriy",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T13:05:59.435Z",
+    "ReceiptTime": "Sep 02 2020 13:05:52",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: max Item Name: max (Item Id: 4)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 4,
+    "DestinationUserName": "max",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 4,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "max",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 4,
+    "SourceUserName": "max",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "Max",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T13:09:29.211Z",
+    "ReceiptTime": "Sep 02 2020 13:09:23",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: Ibrahim1 Item Name: Ibrahim1 (Item Id: 22)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 22,
+    "DestinationUserName": "Ibrahim1",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 22,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "Ibrahim1",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 22,
+    "SourceUserName": "Ibrahim1",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "AIbrahim",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T13:12:01.685Z",
+    "ReceiptTime": "Sep 02 2020 13:11:52",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 17,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Logout] By User: testing Item Name: testing (Item Id: 18)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGOUT",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 18,
+    "DestinationUserName": "testing",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 18,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "testing",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 18,
+    "SourceUserName": "testing",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "AccForTests",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T13:12:01.721Z",
+    "ReceiptTime": "Sep 02 2020 13:12:00",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10004,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [View] By User: max Item Name: From \"Unix Account (SSH)\" no Private Key (Item Id: 115) Container Name: SSH Secrets (Container Id: 31)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - VIEW",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 115,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "From \"Unix Account (SSH)\" no Private Key",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 4,
+    "SourceUserName": "max",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "SSH Secrets",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "Max",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T13:12:09.393Z",
+    "ReceiptTime": "Sep 02 2020 13:12:02",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: max Item Name: max (Item Id: 4)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 4,
+    "DestinationUserName": "max",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 4,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "max",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 4,
+    "SourceUserName": "max",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "Max",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T13:12:09.411Z",
+    "ReceiptTime": "Sep 02 2020 13:12:02",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10006,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Launch] By User: max Item Name: From \"Unix Account (SSH)\" no Private Key (Item Id: 115) Container Name: SSH Secrets (Container Id: 31) Details:  PuTTY",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - LAUNCH",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 115,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "From \"Unix Account (SSH)\" no Private Key",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 4,
+    "SourceUserName": "max",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "SSH Secrets",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "Max",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T13:12:29.384Z",
+    "ReceiptTime": "Sep 02 2020 13:12:26",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10004,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [View] By User: max Item Name: no proxy (Item Id: 10369) Container Name: SSH Secrets (Container Id: 31)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - VIEW",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10369,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "no proxy",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 4,
+    "SourceUserName": "max",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "SSH Secrets",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "Max",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T13:12:29.419Z",
+    "ReceiptTime": "Sep 02 2020 13:12:29",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10004,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [View] By User: max Item Name: key proxy+ ssh (Item Id: 10411) Container Name: SSH Secrets (Container Id: 31)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - VIEW",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10411,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "key proxy+ ssh",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 4,
+    "SourceUserName": "max",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "SSH Secrets",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "Max",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T13:12:39.155Z",
+    "ReceiptTime": "Sep 02 2020 13:12:32",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10006,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Launch] By User: max Item Name: key proxy+ ssh (Item Id: 10411) Container Name: SSH Secrets (Container Id: 31) Details:  PuTTY",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - LAUNCH",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10411,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "key proxy+ ssh",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 4,
+    "SourceUserName": "max",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "SSH Secrets",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "Max",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T13:19:29.242Z",
+    "ReceiptTime": "Sep 02 2020 13:19:26",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: Ibrahim1 Item Name: Ibrahim1 (Item Id: 22)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 22,
+    "DestinationUserName": "Ibrahim1",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 22,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "Ibrahim1",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 22,
+    "SourceUserName": "Ibrahim1",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "AIbrahim",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T10:24:59.228Z",
+    "ReceiptTime": "Sep 02 2020 10:24:53",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: Ibrahim1 Item Name: Ibrahim1 (Item Id: 22)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 22,
+    "DestinationUserName": "Ibrahim1",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 22,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "Ibrahim1",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 22,
+    "SourceUserName": "Ibrahim1",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "AIbrahim",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T10:27:29.243Z",
+    "ReceiptTime": "Sep 02 2020 10:27:24",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: max Item Name: max (Item Id: 4)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 4,
+    "DestinationUserName": "max",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 4,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "max",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 4,
+    "SourceUserName": "max",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "Max",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T10:27:49.152Z",
+    "ReceiptTime": "Sep 02 2020 10:27:41",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10004,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [View] By User: max Item Name: W1\\W1 (Item Id: 10390) Container Name: Max (Container Id: 25)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - VIEW",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10390,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "W1\\W1",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 4,
+    "SourceUserName": "max",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "Max",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "Max",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T10:27:49.312Z",
+    "ReceiptTime": "Sep 02 2020 10:27:41",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10039,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Password Displayed] By User: max Item Name: W1\\W1 (Item Id: 10390) Container Name: Max (Container Id: 25) Details:  Fields: (Password)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - PASSWORD_DISPLAYED",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10390,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "W1\\W1",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 4,
+    "SourceUserName": "max",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "Max",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "Max",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T10:28:29.295Z",
+    "ReceiptTime": "Sep 02 2020 10:28:19",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: Ibrahim1 Item Name: Ibrahim1 (Item Id: 22)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 22,
+    "DestinationUserName": "Ibrahim1",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 22,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "Ibrahim1",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 22,
+    "SourceUserName": "Ibrahim1",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "AIbrahim",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T10:31:29.195Z",
+    "ReceiptTime": "Sep 02 2020 10:31:21",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10004,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [View] By User: max Item Name: 10.10.200.2xbxjxbnsjs (Item Id: 10326) Container Name: SSH Secrets (Container Id: 31)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - VIEW",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10326,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "10.10.200.2xbxjxbnsjs",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 4,
+    "SourceUserName": "max",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "SSH Secrets",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "Max",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T10:31:29.293Z",
+    "ReceiptTime": "Sep 02 2020 10:31:25",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10004,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [View] By User: max Item Name: 2 (Item Id: 10342) Container Name: Max (Container Id: 25)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - VIEW",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10342,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": 2,
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 4,
+    "SourceUserName": "max",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "Max",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "Max",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T10:31:39.252Z",
+    "ReceiptTime": "Sep 02 2020 10:31:32",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10039,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Password Displayed] By User: max Item Name: 2 (Item Id: 10342) Container Name: Max (Container Id: 25) Details:  Fields: (Password)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - PASSWORD_DISPLAYED",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10342,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": 2,
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 4,
+    "SourceUserName": "max",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "Max",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "Max",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T10:32:09.253Z",
+    "ReceiptTime": "Sep 02 2020 10:32:00",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: AppAccount Item Name: AppAccount (Item Id: 10)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 10,
+    "DestinationUserName": "AppAccount",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "AppAccount",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 10,
+    "SourceUserName": "AppAccount",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "AppAccount",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T10:32:09.328Z",
+    "ReceiptTime": "Sep 02 2020 10:32:01",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10004,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [View] By User: AppAccount Item Name: 2 (Item Id: 10342) Container Name: Max (Container Id: 25)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - VIEW",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10342,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": 2,
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 10,
+    "SourceUserName": "AppAccount",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "Max",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "AppAccount",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T10:32:09.415Z",
+    "ReceiptTime": "Sep 02 2020 10:32:01",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10039,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Password Displayed] By User: AppAccount Item Name: 2 (Item Id: 10342) Container Name: Max (Container Id: 25) Details:  Fields: (Password)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - PASSWORD_DISPLAYED",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10342,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": 2,
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 10,
+    "SourceUserName": "AppAccount",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "Max",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "AppAccount",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T10:32:29.205Z",
+    "ReceiptTime": "Sep 02 2020 10:32:28",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10041,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Viewed Secret Edit] By User: max Item Name: 2 (Item Id: 10342) Container Name: Max (Container Id: 25)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - VIEWED_EDIT",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10342,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": 2,
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 4,
+    "SourceUserName": "max",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "Max",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "Max",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T10:32:29.239Z",
+    "ReceiptTime": "Sep 02 2020 10:32:28",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10055,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Password Change] By User: max Item Name: 2 (Item Id: 10342) Container Name: Max (Container Id: 25)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - SECRETPASSWORDCHANGE",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10342,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": 2,
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 4,
+    "SourceUserName": "max",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "Max",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "Max",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T10:32:29.274Z",
+    "ReceiptTime": "Sep 02 2020 10:32:28",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10005,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Edit] By User: max Item Name: 2 (Item Id: 10342) Container Name: Max (Container Id: 25) Details:  Fields: (Password)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - EDIT",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10342,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": 2,
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 4,
+    "SourceUserName": "max",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "Max",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "Max",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T10:32:39.301Z",
+    "ReceiptTime": "Sep 02 2020 10:32:34",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: AppAccount Item Name: AppAccount (Item Id: 10)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 10,
+    "DestinationUserName": "AppAccount",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "AppAccount",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 10,
+    "SourceUserName": "AppAccount",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "AppAccount",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T10:32:39.324Z",
+    "ReceiptTime": "Sep 02 2020 10:32:34",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10004,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [View] By User: AppAccount Item Name: 2 (Item Id: 10342) Container Name: Max (Container Id: 25)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - VIEW",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10342,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": 2,
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 10,
+    "SourceUserName": "AppAccount",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "Max",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "AppAccount",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T10:32:39.383Z",
+    "ReceiptTime": "Sep 02 2020 10:32:35",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10039,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Password Displayed] By User: AppAccount Item Name: 2 (Item Id: 10342) Container Name: Max (Container Id: 25) Details:  Fields: (Password)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - PASSWORD_DISPLAYED",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10342,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": 2,
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 10,
+    "SourceUserName": "AppAccount",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "Max",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "AppAccount",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T10:33:09.177Z",
+    "ReceiptTime": "Sep 02 2020 10:33:04",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10055,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Password Change] By User: max Item Name: 2 (Item Id: 10342) Container Name: Max (Container Id: 25)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - SECRETPASSWORDCHANGE",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10342,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": 2,
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 4,
+    "SourceUserName": "max",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "Max",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "Max",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T10:33:09.196Z",
+    "ReceiptTime": "Sep 02 2020 10:33:04",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10005,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Edit] By User: max Item Name: 2 (Item Id: 10342) Container Name: Max (Container Id: 25) Details:  Fields: (Password)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - EDIT",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10342,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": 2,
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 4,
+    "SourceUserName": "max",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "Max",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "Max",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T10:33:19.306Z",
+    "ReceiptTime": "Sep 02 2020 10:33:09",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: AppAccount Item Name: AppAccount (Item Id: 10)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 10,
+    "DestinationUserName": "AppAccount",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "AppAccount",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 10,
+    "SourceUserName": "AppAccount",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "AppAccount",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T10:33:19.326Z",
+    "ReceiptTime": "Sep 02 2020 10:33:09",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10004,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [View] By User: AppAccount Item Name: 2 (Item Id: 10342) Container Name: Max (Container Id: 25)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - VIEW",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10342,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": 2,
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 10,
+    "SourceUserName": "AppAccount",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "Max",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "AppAccount",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T10:33:19.391Z",
+    "ReceiptTime": "Sep 02 2020 10:33:09",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10039,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Password Displayed] By User: AppAccount Item Name: 2 (Item Id: 10342) Container Name: Max (Container Id: 25) Details:  Fields: (Password)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - PASSWORD_DISPLAYED",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10342,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": 2,
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 10,
+    "SourceUserName": "AppAccount",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "Max",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "AppAccount",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T10:34:29.16Z",
+    "ReceiptTime": "Sep 02 2020 10:34:19",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10004,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [View] By User: max Item Name: W1\\W1 (Item Id: 10390) Container Name: Max (Container Id: 25)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - VIEW",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10390,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "W1\\W1",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 4,
+    "SourceUserName": "max",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "Max",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "Max",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T10:34:29.213Z",
+    "ReceiptTime": "Sep 02 2020 10:34:19",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10039,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Password Displayed] By User: max Item Name: W1\\W1 (Item Id: 10390) Container Name: Max (Container Id: 25) Details:  Fields: (Password)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - PASSWORD_DISPLAYED",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 10390,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "W1\\W1",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 4,
+    "SourceUserName": "max",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "Max",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "Max",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T10:34:59.208Z",
+    "ReceiptTime": "Sep 02 2020 10:34:57",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: Ibrahim1 Item Name: Ibrahim1 (Item Id: 22)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 22,
+    "DestinationUserName": "Ibrahim1",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 22,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "Ibrahim1",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 22,
+    "SourceUserName": "Ibrahim1",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "AIbrahim",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T13:21:49.326Z",
+    "ReceiptTime": "Sep 02 2020 13:21:47",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: Ibrahim1 Item Name: Ibrahim1 (Item Id: 22)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 22,
+    "DestinationUserName": "Ibrahim1",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 22,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "Ibrahim1",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 22,
+    "SourceUserName": "Ibrahim1",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "AIbrahim",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T13:22:00.866Z",
+    "ReceiptTime": "Sep 02 2020 13:21:55",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10004,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [View] By User: Ibrahim1 Item Name:     ktukuytk (Item Id: 11100) Container Name: Folder3s23xyjyh (Container Id: 265)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - VIEW",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 11100,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "ktukuytk",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 22,
+    "SourceUserName": "Ibrahim1",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "Folder3s23xyjyh",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "AIbrahim",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T13:22:01.143Z",
+    "ReceiptTime": "Sep 02 2020 13:21:55",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 10039,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [Secret] Action: [Password Displayed] By User: Ibrahim1 Item Name:     ktukuytk (Item Id: 11100) Container Name: Folder3s23xyjyh (Container Id: 265) Details:  Fields: (Password)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "SECRET - PASSWORD_DISPLAYED",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": "",
+    "DestinationUserName": "",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 11100,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "Secret",
+    "FileName": "ktukuytk",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 22,
+    "SourceUserName": "Ibrahim1",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "Folder3s23xyjyh",
+    "DeviceCustomString3Label": "Folder",
+    "DeviceCustomString4": "AIbrahim",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T09:37:59.809Z",
+    "ReceiptTime": "Sep 02 2020 09:37:53",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: oleg1 Item Name: oleg1 (Item Id: 11)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "93.74.172.249",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 11,
+    "DestinationUserName": "oleg1",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 11,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "oleg1",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 11,
+    "SourceUserName": "oleg1",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "ZOleg",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T09:38:09.198Z",
+    "ReceiptTime": "Sep 02 2020 09:38:00",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: Ibrahim1 Item Name: Ibrahim1 (Item Id: 22)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 22,
+    "DestinationUserName": "Ibrahim1",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 22,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "Ibrahim1",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 22,
+    "SourceUserName": "Ibrahim1",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "AIbrahim",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T09:41:58.923Z",
+    "ReceiptTime": "Sep 02 2020 09:41:42",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: max Item Name: max (Item Id: 4)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 4,
+    "DestinationUserName": "max",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 4,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "max",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 4,
+    "SourceUserName": "max",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "Max",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T09:44:09.388Z",
+    "ReceiptTime": "Sep 02 2020 09:44:09",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: max Item Name: max (Item Id: 4)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 4,
+    "DestinationUserName": "max",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 4,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "max",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 4,
+    "SourceUserName": "max",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "Max",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T09:47:59.224Z",
+    "ReceiptTime": "Sep 02 2020 09:47:57",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: oleg1 Item Name: oleg1 (Item Id: 11)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "93.74.172.249",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 11,
+    "DestinationUserName": "oleg1",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 11,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "oleg1",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 11,
+    "SourceUserName": "oleg1",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "ZOleg",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T09:48:09.21Z",
+    "ReceiptTime": "Sep 02 2020 09:48:03",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: Ibrahim1 Item Name: Ibrahim1 (Item Id: 22)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 22,
+    "DestinationUserName": "Ibrahim1",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 22,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "Ibrahim1",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 22,
+    "SourceUserName": "Ibrahim1",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "AIbrahim",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T09:49:49.435Z",
+    "ReceiptTime": "Sep 02 2020 09:49:42",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: max Item Name: max (Item Id: 4)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 4,
+    "DestinationUserName": "max",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 4,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "max",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 4,
+    "SourceUserName": "max",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "Max",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  },
+  {
+    "TenantId": "0f9902f5-f3f6-4c2c-b395-b658e0bd207c",
+    "SourceSystem": "OpsManager",
+    "TimeGenerated": "2020-09-02T09:50:39.351Z",
+    "ReceiptTime": "Sep 02 2020 09:50:38",
+    "DeviceVendor": "Thycotic Software",
+    "DeviceProduct": "Secret Server",
+    "DeviceEventClassID": 16,
+    "LogSeverity": 2,
+    "OriginalLogSeverity": "",
+    "DeviceAction": "",
+    "SimplifiedDeviceAction": "",
+    "Computer": "",
+    "CommunicationDirection": "",
+    "DeviceFacility": "",
+    "DestinationPort": null,
+    "DestinationIP": "",
+    "DeviceAddress": "",
+    "DeviceName": "",
+    "Message": "[[SecretServer]] Event: [User] Action: [Login] By User: max Item Name: max (Item Id: 4)",
+    "Protocol": "",
+    "SourcePort": null,
+    "SourceIP": "217.147.161.79",
+    "RemoteIP": "",
+    "RemotePort": "",
+    "MaliciousIP": "",
+    "ThreatSeverity": null,
+    "IndicatorThreatType": "",
+    "ThreatDescription": "",
+    "ThreatConfidence": "",
+    "ReportReferenceLink": "",
+    "MaliciousIPLongitude": null,
+    "MaliciousIPLatitude": null,
+    "MaliciousIPCountry": "",
+    "DeviceVersion": "10.9.000000",
+    "Activity": "USER - LOGIN",
+    "ApplicationProtocol": "",
+    "EventCount": null,
+    "DestinationDnsDomain": "",
+    "DestinationServiceName": "",
+    "DestinationTranslatedAddress": "",
+    "DestinationTranslatedPort": null,
+    "DeviceDnsDomain": "",
+    "DeviceExternalID": "",
+    "DeviceInboundInterface": "",
+    "DeviceNtDomain": "",
+    "DeviceOutboundInterface": "",
+    "DevicePayloadId": "",
+    "ProcessName": "",
+    "DeviceTranslatedAddress": "",
+    "DestinationHostName": "",
+    "DestinationMACAddress": "",
+    "DestinationNTDomain": "",
+    "DestinationProcessId": null,
+    "DestinationUserPrivileges": "",
+    "DestinationProcessName": "",
+    "DeviceTimeZone": "",
+    "DestinationUserID": 4,
+    "DestinationUserName": "max",
+    "DeviceMacAddress": "",
+    "ProcessID": null,
+    "ExternalID": null,
+    "FileCreateTime": "",
+    "FileHash": "",
+    "FileID": 4,
+    "FileModificationTime": "",
+    "FilePath": "",
+    "FilePermission": "",
+    "FileType": "User",
+    "FileName": "max",
+    "FileSize": null,
+    "ReceivedBytes": null,
+    "OldFileCreateTime": "",
+    "OldFileHash": "",
+    "OldFileID": "",
+    "OldFileModificationTime": "",
+    "OldFileName": "",
+    "OldFilePath": "",
+    "OldFilePermission": "",
+    "OldFileSize": null,
+    "OldFileType": "",
+    "SentBytes": null,
+    "RequestURL": "",
+    "RequestClientApplication": "",
+    "RequestContext": "",
+    "RequestCookies": "",
+    "RequestMethod": "",
+    "SourceHostName": "",
+    "SourceMACAddress": "",
+    "SourceNTDomain": "",
+    "SourceDnsDomain": "",
+    "SourceServiceName": "",
+    "SourceTranslatedAddress": "",
+    "SourceTranslatedPort": null,
+    "SourceProcessId": null,
+    "SourceUserPrivileges": "",
+    "SourceProcessName": "",
+    "SourceUserID": 4,
+    "SourceUserName": "max",
+    "EventType": null,
+    "DeviceCustomIPv6Address1": "",
+    "DeviceCustomIPv6Address1Label": "",
+    "DeviceCustomIPv6Address2": "",
+    "DeviceCustomIPv6Address2Label": "",
+    "DeviceCustomIPv6Address3": "",
+    "DeviceCustomIPv6Address3Label": "",
+    "DeviceCustomIPv6Address4": "",
+    "DeviceCustomIPv6Address4Label": "",
+    "DeviceCustomFloatingPoint1": null,
+    "DeviceCustomFloatingPoint1Label": "",
+    "DeviceCustomFloatingPoint2": null,
+    "DeviceCustomFloatingPoint2Label": "",
+    "DeviceCustomFloatingPoint3": null,
+    "DeviceCustomFloatingPoint3Label": "",
+    "DeviceCustomFloatingPoint4": null,
+    "DeviceCustomFloatingPoint4Label": "",
+    "DeviceCustomNumber1": null,
+    "DeviceCustomNumber1Label": "",
+    "DeviceCustomNumber2": null,
+    "DeviceCustomNumber2Label": "",
+    "DeviceCustomNumber3": null,
+    "DeviceCustomNumber3Label": "",
+    "DeviceCustomString1": "",
+    "DeviceCustomString1Label": "",
+    "DeviceCustomString2": "",
+    "DeviceCustomString2Label": "",
+    "DeviceCustomString3": "",
+    "DeviceCustomString3Label": "",
+    "DeviceCustomString4": "Max",
+    "DeviceCustomString4Label": "suser Display Name",
+    "DeviceCustomString5": "",
+    "DeviceCustomString5Label": "",
+    "DeviceCustomString6": "",
+    "DeviceCustomString6Label": "",
+    "DeviceCustomDate1": "",
+    "DeviceCustomDate1Label": "",
+    "DeviceCustomDate2": "",
+    "DeviceCustomDate2Label": "",
+    "FlexDate1": "",
+    "FlexDate1Label": "",
+    "FlexNumber1": null,
+    "FlexNumber1Label": "",
+    "FlexNumber2": null,
+    "FlexNumber2Label": "",
+    "FlexString1": "",
+    "FlexString1Label": "",
+    "FlexString2": "",
+    "FlexString2Label": "",
+    "AdditionalExtensions": "",
+    "StartTime": null,
+    "EndTime": null,
+    "Type": "CommonSecurityLog",
+    "_ResourceId": "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic-sentinel_group/providers/microsoft.compute/virtualmachines/thycotic-sentinel"
+  }
+]
\ No newline at end of file
diff --git a/Workbooks/Images/Logos/ThycoticLogo.svg b/Workbooks/Images/Logos/ThycoticLogo.svg
new file mode 100644
index 0000000000..092758fd2a
--- /dev/null
+++ b/Workbooks/Images/Logos/ThycoticLogo.svg
@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 75 75"><defs><linearGradient x1="57.73" y1="41.36" x2="57.73" y2="48.82" gradientUnits="userSpaceOnUse"><stop offset="0.32" stop-color="#82bd41"/><stop offset="1" stop-color="#658d3d"/></linearGradient></defs><rect x="53.62" y="28.07" width="3.03" height="1.28" style="fill:#081f2d"/><rect x="53.61" y="30.2" width="3.08" height="9.18" style="fill:#081f2d"/><polygon points="51.61 28.07 48.56 28.07 48.56 30.21 47.27 30.21 47.27 31.38 48.56 31.38 48.56 39.38 51.61 39.38 51.61 31.38 52.69 31.38 52.69 30.21 51.61 30.21 51.61 28.07" style="fill:#081f2d"/><path d="M66.11,33.17V31.9a1.41,1.41,0,0,0-.91-1.25,6.42,6.42,0,0,0-3-.55,6.41,6.41,0,0,0-3.13.57A2.49,2.49,0,0,0,58,33v3.75A2.42,2.42,0,0,0,59.12,39a6.39,6.39,0,0,0,3.13.58,6.44,6.44,0,0,0,3-.54,1.44,1.44,0,0,0,.91-1.27V36.49H63.36v1.27a.54.54,0,0,1-.31.45,1.54,1.54,0,0,1-.86.21c-.76,0-1.15-.21-1.15-.64v-5.9c0-.42.39-.63,1.15-.63a1.63,1.63,0,0,1,.86.2.57.57,0,0,1,.31.45v1.27Z" style="fill:#081f2d"/><path d="M24.57,37.82c0,.26-.37.38-1.11.38-.89,0-1.33-.15-1.33-.47V30.19H19v7.63c0,1.1,1,1.66,3,1.66l1.06,0,.87,0a1.76,1.76,0,0,0,.66-.12v2.13c0,.16-.11.31-.34.44a1.81,1.81,0,0,1-.89.19,1.7,1.7,0,0,1-.89-.2c-.23-.14-.35-.29-.35-.45V40.13H19V41.4c0,.49.4.91,1.2,1.27a8,8,0,0,0,3.2.53,6.44,6.44,0,0,0,3.13-.57,2.51,2.51,0,0,0,1.09-2.3V30.19H24.57Z" style="fill:#081f2d"/><polygon points="6.6 28.07 3.56 28.07 3.56 30.21 2.04 30.21 2.04 31.38 3.56 31.38 3.56 39.38 6.6 39.38 6.6 31.38 8.11 31.38 8.11 30.21 6.6 30.21 6.6 28.07" style="fill:#081f2d"/><path d="M16.21,30.24a9.34,9.34,0,0,0-2.2-.18,5.06,5.06,0,0,0-1.81.26V28.07H9.31V39.38h2.95V31.31h1.66c.46,0,.69.2.69.61v7.46h2.78V31.49C17.39,30.87,17,30.45,16.21,30.24Z" style="fill:#081f2d"/><path d="M36.16,30.65a6.5,6.5,0,0,0-3-.55,6.44,6.44,0,0,0-3.13.57A2.51,2.51,0,0,0,29,33v3.75A2.44,2.44,0,0,0,30.07,39a6.42,6.42,0,0,0,3.13.58,6.51,6.51,0,0,0,3-.54,1.45,1.45,0,0,0,.9-1.27V36.49H34.32v1.27a.55.55,0,0,1-.32.45,1.52,1.52,0,0,1-.86.21c-.76,0-1.14-.21-1.14-.64v-5.9q0-.63,1.14-.63a1.61,1.61,0,0,1,.86.2.58.58,0,0,1,.32.45v1.27h2.74V31.9A1.41,1.41,0,0,0,36.16,30.65Z" style="fill:#081f2d"/><polygon points="51.25 41.36 56.67 41.36 64.22 48.82 58.38 48.82 51.25 41.36" style="fill:url(#linear-gradient)"/><path d="M45.53,30.54a6.31,6.31,0,0,0-3-.56,6.35,6.35,0,0,0-3.14.58,2.48,2.48,0,0,0-1.08,2.29V36.6a2.43,2.43,0,0,0,1.08,2.27,6.35,6.35,0,0,0,3.14.58,6.46,6.46,0,0,0,3-.54,1.44,1.44,0,0,0,.9-1.26V31.79A1.4,1.4,0,0,0,45.53,30.54Zm-1.84,6v1.07a.57.57,0,0,1-.31.45,1.63,1.63,0,0,1-.86.2c-.77,0-1.15-.21-1.15-.63v-5.9c0-.43.38-.64,1.15-.64a1.54,1.54,0,0,1,.86.21.54.54,0,0,1,.31.45v4.79Z" style="fill:#081f2d"/><polygon points="73.67 36.5 68.05 36.5 69.52 37.96 58.38 48.82 64.22 48.82 72.18 40.59 73.67 42.06 73.67 36.5" style="fill:#82bd41"/></svg>
\ No newline at end of file
diff --git a/Workbooks/Images/Preview/ThycoticWorkbookBlack.PNG b/Workbooks/Images/Preview/ThycoticWorkbookBlack.PNG
new file mode 100644
index 0000000000..df166506a6
Binary files /dev/null and b/Workbooks/Images/Preview/ThycoticWorkbookBlack.PNG differ
diff --git a/Workbooks/Images/Preview/ThycoticWorkbookWhite.PNG b/Workbooks/Images/Preview/ThycoticWorkbookWhite.PNG
new file mode 100644
index 0000000000..66a622bf1e
Binary files /dev/null and b/Workbooks/Images/Preview/ThycoticWorkbookWhite.PNG differ
diff --git a/Workbooks/ThycoticWorkbook.json b/Workbooks/ThycoticWorkbook.json
new file mode 100644
index 0000000000..8e1a2857d1
--- /dev/null
+++ b/Workbooks/ThycoticWorkbook.json
@@ -0,0 +1,322 @@
+{
+  "version": "Notebook/1.0",
+  "items": [
+    {
+      "type": 1,
+      "content": {
+        "json": "### Thycotic Workbook\n"
+      },
+      "name": "text - 2",
+      "styleSettings": {
+        "margin": "1",
+        "padding": "1"
+      }
+    },
+    {
+      "type": 9,
+      "content": {
+        "version": "KqlParameterItem/1.0",
+        "parameters": [
+          {
+            "id": "d273a798-8340-441a-9289-d1a79c87ed0c",
+            "version": "KqlParameterItem/1.0",
+            "name": "Timespan",
+            "type": 4,
+            "isRequired": true,
+            "value": {
+              "durationMs": 43200000
+            },
+            "typeSettings": {
+              "selectableValues": [
+                {
+                  "durationMs": 43200000
+                },
+                {
+                  "durationMs": 86400000
+                },
+                {
+                  "durationMs": 259200000
+                },
+                {
+                  "durationMs": 604800000
+                },
+                {
+                  "durationMs": 1209600000
+                },
+                {
+                  "durationMs": 2592000000
+                },
+                {
+                  "durationMs": 5184000000
+                },
+                {
+                  "durationMs": 7776000000
+                }
+              ],
+              "allowCustom": true
+            },
+            "timeContext": {
+              "durationMs": 86400000
+            }
+          }
+        ],
+        "style": "pills",
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces"
+      },
+      "name": "parameters - 1"
+    },
+    {
+      "type": 1,
+      "content": {
+        "json": "Most usage operations for SecretServer"
+      },
+      "name": "text - 9"
+    },
+    {
+      "type": 11,
+      "content": {
+        "version": "LinkItem/1.0",
+        "style": "tabs",
+        "links": [
+          {
+            "cellValue": "page",
+            "linkTarget": "parameter",
+            "linkLabel": "Overview",
+            "subTarget": "FileType != \"test event\"",
+            "style": "primary"
+          },
+          {
+            "cellValue": "page",
+            "linkTarget": "parameter",
+            "linkLabel": "Secret",
+            "subTarget": "FileType == \"Secret\"",
+            "style": "primary"
+          },
+          {
+            "cellValue": "page",
+            "linkTarget": "parameter",
+            "linkLabel": "User",
+            "subTarget": "FileType == \"User\"",
+            "style": "primary"
+          },
+          {
+            "cellValue": "page",
+            "linkTarget": "parameter",
+            "linkLabel": "Folder",
+            "subTarget": "FileType == \"Folder\"",
+            "style": "secondary"
+          }
+        ]
+      },
+      "name": "links - 3",
+      "styleSettings": {
+        "margin": "0px",
+        "padding": "0px"
+      }
+    },
+    {
+      "type": 3,
+      "content": {
+        "version": "KqlItem/1.0",
+        "query": "CommonSecurityLog\n| where DeviceVendor == \"Thycotic Software\" | where DeviceProduct == \"Secret Server\" | where LogSeverity == 2 \n| where {page:query}\n| where TimeGenerated {Timespan:query}\n| summarize countRecord = count(), lastDate = arg_max(TimeGenerated, *) by FileName\n| order by countRecord\n| take 10\n| project FileType, Activity, SecretName=FileName, countRecord, lastDate ",
+        "size": 2,
+        "timeContext": {
+          "durationMs": 86400000
+        },
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces",
+        "visualization": "table",
+        "tileSettings": {
+          "showBorder": false,
+          "titleContent": {
+            "columnMatch": "FileType",
+            "formatter": 1
+          },
+          "leftContent": {
+            "columnMatch": "countRecord",
+            "formatter": 12,
+            "formatOptions": {
+              "palette": "auto"
+            },
+            "numberFormat": {
+              "unit": 17, 
+              "options": {
+                "maximumSignificantDigits": 3,
+                "maximumFractionDigits": 2
+              }
+            }
+          }
+        },
+        "graphSettings": {
+          "type": 0,
+          "topContent": {
+            "columnMatch": "FileType",
+            "formatter": 1
+          },
+          "centerContent": {
+            "columnMatch": "countRecord",
+            "formatter": 1,
+            "numberFormat": {
+              "unit": 17,
+              "options": {
+                "maximumSignificantDigits": 3,
+                "maximumFractionDigits": 2
+              }
+            }
+          },
+          "nodeIdField": "countRecord",
+          "sourceIdField": "Activity",
+          "targetIdField": "FileType",
+          "graphOrientation": 3,
+          "showOrientationToggles": false,
+          "nodeSize": null,
+          "staticNodeSize": 100,
+          "colorSettings": null,
+          "hivesMargin": 5
+        }
+      },
+      "name": "query - 3"
+    },
+    {
+      "type": 1,
+      "content": {
+        "json": "## Expires secrets"
+      },
+      "name": "text - 5"
+    },
+    {
+      "type": 3,
+      "content": {
+        "version": "KqlItem/1.0",
+        "query": "CommonSecurityLog\r\n| where DeviceVendor == \"Thycotic Software\"\n| where DeviceProduct == \"Secret Server\"\n|where LogSeverity == 2 \r\n| where TimeGenerated > ago(1d)\r\n| summarize count() by Activity\r\n| where extract(\"EXPIRE[S|D](\\\\d+)DAY\\\\w?\", 1, Activity) != \"\"\r\n| project extract(\"EXPIRE[S|D](\\\\d+)DAY\\\\w?\", 1, Activity), count_\r\n| order by count_ asc ",
+        "size": 2,
+        "noDataMessage": "Secrets that will soon expire are not found",
+        "noDataMessageStyle": 3,
+        "timeContext": {
+          "durationMs": 86400000
+        },
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces",
+        "visualization": "piechart",
+        "chartSettings": {
+          "seriesLabelSettings": [
+            {
+              "seriesName": "03",
+              "label": "Expre to 3 days",
+              "comment": "Expire to 3 days"
+            },
+            {
+              "seriesName": "07",
+              "label": "Expire to 7 days",
+              "comment": "Expire to 7 days"
+            },
+            {
+              "seriesName": "15",
+              "label": "Expire to 15 days",
+              "comment": "Expire to 15 days"
+            },
+            {
+              "seriesName": "30",
+              "label": "Expire to 30 days"
+            },
+            {
+              "seriesName": "01",
+              "label": "Expire to 1 day"
+            }
+          ],
+          "ySettings": {
+            "numberFormatSettings": {
+              "unit": 17,
+              "options": {
+                "style": "decimal",
+                "useGrouping": true
+              }
+            }
+          }
+        }
+      },
+      "name": "query - 4"
+    },
+    {
+      "type": 1,
+      "content": {
+        "json": "### Expired secret today"
+      },
+      "name": "text - 7"
+    },
+    {
+      "type": 3,
+      "content": {
+        "version": "KqlItem/1.0",
+        "query": "CommonSecurityLog\r\n| where DeviceVendor == \"Thycotic Software\"\n| where DeviceProduct == \"Secret Server\"\n|where LogSeverity == 2 \r\n| where TimeGenerated > ago(1d)\r\n| summarize count() by Activity\r\n| where Activity == \"SECRET - EXPIREDTODAY\"\r\n| project count_\r\n| order by count_ asc ",
+        "size": 0,
+        "timeContext": {
+          "durationMs": 86400000
+        },
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces",
+        "visualization": "tiles",
+        "tileSettings": {
+          "showBorder": false,
+          "titleContent": {
+            "columnMatch": "FileName",
+            "formatter": 1
+          },
+          "leftContent": {
+            "columnMatch": "count_",
+            "formatter": 12,
+            "formatOptions": {
+              "palette": "auto"
+            },
+            "numberFormat": {
+              "unit": 17,
+              "options": {
+                "maximumSignificantDigits": 3,
+                "maximumFractionDigits": 2
+              }
+            }
+          }
+        }
+      },
+      "name": "query - 6"
+    },
+    {
+      "type": 3,
+      "content": {
+        "version": "KqlItem/1.0",
+        "query": "CommonSecurityLog\r\n| where DeviceVendor == \"Thycotic Software\"\n| where DeviceProduct == \"Secret Server\"\n|where LogSeverity == 2 \r\n| where TimeGenerated > ago(1d)\r\n| summarize count() by Activity, FileName\r\n| where Activity == \"SECRET - EXPIREDTODAY\"\r\n| project FileName",
+        "size": 0,
+        "timeContext": {
+          "durationMs": 86400000
+        },
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces",
+        "visualization": "table",
+        "gridSettings": {
+          "formatters": [
+            {
+              "columnMatch": "FileName",
+              "formatter": 1,
+              "formatOptions": {
+                "customColumnWidthSetting": "150px"
+              }
+            }
+          ],
+          "labelSettings": [
+            {
+              "columnId": "FileName",
+              "label": "Secret Name"
+            }
+          ]
+        }
+      },
+      "name": "query - 8"
+    }
+  ],
+  "fallbackResourceIds": [
+    "/subscriptions/80e05ab0-5906-45a8-98ff-c9520c4b418b/resourcegroups/thycotic/providers/microsoft.operationalinsights/workspaces/thycotic02"
+  ],
+  "fromTemplateId": "sentinel-Thycotic",
+  "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
+}
\ No newline at end of file
diff --git a/Workbooks/WorkbooksMetadata.json b/Workbooks/WorkbooksMetadata.json
index 2b8476e038..503eab24ee 100644
--- a/Workbooks/WorkbooksMetadata.json
+++ b/Workbooks/WorkbooksMetadata.json
@@ -1036,5 +1036,18 @@
     "templateRelativePath": "DataCollectionHealthMonitoring.json",
     "subtitle": "",
     "provider": "Microsoft"
-  }
-]
+  },
+  {
+    "workbookKey": "ThycoticWorkbook",
+    "logoFileName": "ThycoticLogo.svg",
+    "description": "The Thycotic Secret Server Syslog connector",
+    "dataTypesDependencies": [ "CommonSecurityLog" ],
+    "dataConnectorsDependencies": [ "ThycoticSecretServer_CEF" ],
+    "previewImagesFileNames": ["ThycoticWorkbookWhite.png", "ThycoticWorkbookBlack.png"],
+    "version": "1.0",
+    "title": "Thycotic Secret Server Workbook",
+    "templateRelativePath": "ThycoticWorkbook.json",
+    "subtitle": "",
+    "provider": "Thycotic"
+    }
+]
\ No newline at end of file