[bitwarden:events]
LINE_BREAKER = ([\r\n])
SHOULD_LINEMERGE = false
TRUNCATE = 5000
KV_MODE = json
FIELDALIAS-alias_1 = ipAddress AS src
FIELDALIAS-alias_2 = date AS timestamp
EVAL-typeName = coalesce(case(\
    type==1000,"User_LoggedIn",\
    type==1001,"User_ChangedPassword",\
    type==1002,"User_Updated2fa",\
    type==1003,"User_Disabled2fa",\
    type==1004,"User_Recovered2fa",\
    type==1005,"User_FailedLogIn",\
    type==1006,"User_FailedLogIn2fa",\
    type==1007,"User_ClientExportedVault",\
    type==1008,"User_UpdatedTempPassword",\
    type==1009,"User_MigratedKeyToKeyConnector",\
    type==1010,"User_RequestedDeviceApproval",\
    type==1011,"User_TdeOffboardingPasswordSet",\
    type==1100,"Cipher_Created",\
    type==1101,"Cipher_Updated",\
    type==1102,"Cipher_Deleted",\
    type==1103,"Cipher_AttachmentCreated",\
    type==1104,"Cipher_AttachmentDeleted",\
    type==1105,"Cipher_Shared",\
    type==1106,"Cipher_UpdatedCollections",\
    type==1107,"Cipher_ClientViewed",\
    type==1108,"Cipher_ClientToggledPasswordVisible",\
    type==1109,"Cipher_ClientToggledHiddenFieldVisible",\
    type==1110,"Cipher_ClientToggledCardCodeVisible",\
    type==1111,"Cipher_ClientCopiedPassword",\
    type==1112,"Cipher_ClientCopiedHiddenField",\
    type==1113,"Cipher_ClientCopiedCardCode",\
    type==1114,"Cipher_ClientAutofilled",\
    type==1115,"Cipher_SoftDeleted",\
    type==1116,"Cipher_Restored",\
    type==1117,"Cipher_ClientToggledCardNumberVisible",\
    type==1300,"Collection_Created",\
    type==1301,"Collection_Updated",\
    type==1302,"Collection_Deleted",\
    type==1400,"Group_Created",\
    type==1401,"Group_Updated",\
    type==1402,"Group_Deleted",\
    type==1500,"OrganizationUser_Invited",\
    type==1501,"OrganizationUser_Confirmed",\
    type==1502,"OrganizationUser_Updated",\
    type==1503,"OrganizationUser_Removed",\
    type==1504,"OrganizationUser_UpdatedGroups",\
    type==1505,"OrganizationUser_UnlinkedSso",\
    type==1506,"OrganizationUser_ResetPassword_Enroll",\
    type==1507,"OrganizationUser_ResetPassword_Withdraw",\
    type==1508,"OrganizationUser_AdminResetPassword",\
    type==1509,"OrganizationUser_ResetSsoLink",\
    type==1510,"OrganizationUser_FirstSsoLogin",\
    type==1511,"OrganizationUser_Revoked",\
    type==1512,"OrganizationUser_Restored",\
    type==1513,"OrganizationUser_ApprovedAuthRequest",\
    type==1514,"OrganizationUser_RejectedAuthRequest",\
    type==1515,"OrganizationUser_Deleted",\
    type==1516,"OrganizationUser_Left",\
    type==1517,"OrganizationUser_AutomaticallyConfirmed",\
    type==1600,"Organization_Updated",\
    type==1601,"Organization_PurgedVault",\
    type==1602,"Organization_ClientExportedVault",\
    type==1603,"Organization_VaultAccessed",\
    type==1604,"Organization_EnabledSso",\
    type==1605,"Organization_DisabledSso",\
    type==1606,"Organization_EnabledKeyConnector",\
    type==1607,"Organization_DisabledKeyConnector",\
    type==1608,"Organization_SponsorshipsSynced",\
    type==1609,"Organization_CollectionManagement_Updated",\
    type==1610,"Organization_CollectionManagement_LimitCollectionCreationEnabled",\
    type==1611,"Organization_CollectionManagement_LimitCollectionCreationDisabled",\
    type==1612,"Organization_CollectionManagement_LimitCollectionDeletionEnabled",\
    type==1613,"Organization_CollectionManagement_LimitCollectionDeletionDisabled",\
    type==1614,"Organization_CollectionManagement_LimitItemDeletionEnabled",\
    type==1615,"Organization_CollectionManagement_LimitItemDeletionDisabled",\
    type==1616,"Organization_CollectionManagement_AllowAdminAccessToAllCollectionItemsEnabled",\
    type==1617,"Organization_CollectionManagement_AllowAdminAccessToAllCollectionItemsDisabled",\
    type==1620,"Organization_AutoConfirmEnabled_Admin",\
    type==1621,"Organization_AutoConfirmDisabled_Admin",\
    type==1622,"Organization_AutoConfirmEnabled_Portal",\
    type==1623,"Organization_AutoConfirmDisabled_Portal",\
    type==1700,"Policy_Updated",\
    type==1800,"ProviderUser_Invited",\
    type==1801,"ProviderUser_Confirmed",\
    type==1802,"ProviderUser_Updated",\
    type==1803,"ProviderUser_Removed",\
    type==1900,"ProviderOrganization_Created",\
    type==1901,"ProviderOrganization_Added",\
    type==1902,"ProviderOrganization_Removed",\
    type==1903,"ProviderOrganization_VaultAccessed",\
    type==2000,"OrganizationDomain_Added",\
    type==2001,"OrganizationDomain_Removed",\
    type==2002,"OrganizationDomain_Verified",\
    type==2003,"OrganizationDomain_NotVerified",\
    type==2100,"Secret_Retrieved",\
    type==2101,"Secret_Created",\
    type==2102,"Secret_Edited",\
    type==2103,"Secret_Deleted",\
    type==2104,"Secret_Permanently_Deleted",\
    type==2105,"Secret_Restored",\
    type==2200,"Project_Retrieved",\
    type==2201,"Project_Created",\
    type==2202,"Project_Edited",\
    type==2203,"Project_Deleted"\
    ), type)
EVAL-deviceName = coalesce(case(device==0,"Android",\
    device==1,"iOS",\
    device==2,"Chrome Extension",\
    device==3,"Firefox Extension",\
    device==4,"Opera Extension",\
    device==5,"Edge Extension",\
    device==6,"Windows Desktop",\
    device==7,"macOS Desktop",\
    device==8,"Linux Desktop",\
    device==9,"Chrome Browser",\
    device==10,"Firefox Browser",\
    device==11,"Opera Browser",\
    device==12,"Edge Browser",\
    device==13,"IEBrowser",\
    device==14,"Unknown Browser",\
    device==15,"Android Amazon",\
    device==16,"UWP",\
    device==17,"Safari Browser",\
    device==18,"Vivaldi Browser",\
    device==19,"Vivaldi Extension",\
    device==20,"Safari Extension",\
    device==21,"SDK",\
    device==22,"Server",\
    device==23,"Windows CLI",\
    device==24,"MacOs CLI",\
    device==25,"Linux CLI",\
    device==26,"DuckDuckGo"\
    ), device)
TIME_PREFIX = "date":"
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%6N%Z