From d7d541f6ba9a7b301bdbe9d735a6c544021ea2ae Mon Sep 17 00:00:00 2001
From: Cameron East <cameroneast1996@gmail.com>
Date: Wed, 12 Jun 2024 08:37:32 +0100
Subject: [PATCH 1/3] added foundryvtt collection and tests

---
 .tests/foundryvtt-bf/config.yaml              |  13 +
 .tests/foundryvtt-bf/foundryvtt-bf.log        |   8 +
 .tests/foundryvtt-bf/parser.assert            |   0
 .tests/foundryvtt-bf/scenario.assert          |  54 +++
 .tests/foundryvtt-logs/config.yaml            |  13 +
 .tests/foundryvtt-logs/foundryvtt-logs.log    |   8 +
 .tests/foundryvtt-logs/parser.assert          | 342 ++++++++++++++++++
 .tests/foundryvtt-logs/scenario.assert        |   0
 collections/eastcw/foundryvtt.md              |  50 +++
 collections/eastcw/foundryvtt.yaml            |  10 +
 parsers/s01-parse/eastcw/foundryvtt-logs.md   |  47 +++
 parsers/s01-parse/eastcw/foundryvtt-logs.yaml |  33 ++
 scenarios/eastcw/foundryvtt-bf.md             |   3 +
 scenarios/eastcw/foundryvtt-bf.yaml           |  18 +
 14 files changed, 599 insertions(+)
 create mode 100644 .tests/foundryvtt-bf/config.yaml
 create mode 100644 .tests/foundryvtt-bf/foundryvtt-bf.log
 create mode 100644 .tests/foundryvtt-bf/parser.assert
 create mode 100644 .tests/foundryvtt-bf/scenario.assert
 create mode 100644 .tests/foundryvtt-logs/config.yaml
 create mode 100644 .tests/foundryvtt-logs/foundryvtt-logs.log
 create mode 100644 .tests/foundryvtt-logs/parser.assert
 create mode 100644 .tests/foundryvtt-logs/scenario.assert
 create mode 100644 collections/eastcw/foundryvtt.md
 create mode 100644 collections/eastcw/foundryvtt.yaml
 create mode 100644 parsers/s01-parse/eastcw/foundryvtt-logs.md
 create mode 100644 parsers/s01-parse/eastcw/foundryvtt-logs.yaml
 create mode 100644 scenarios/eastcw/foundryvtt-bf.md
 create mode 100644 scenarios/eastcw/foundryvtt-bf.yaml

diff --git a/.tests/foundryvtt-bf/config.yaml b/.tests/foundryvtt-bf/config.yaml
new file mode 100644
index 00000000000..1eb57df4727
--- /dev/null
+++ b/.tests/foundryvtt-bf/config.yaml
@@ -0,0 +1,13 @@
+parsers:
+  - crowdsecurity/syslog-logs
+  - crowdsecurity/dateparse-enrich
+  - ./parsers/s01-parse/eastcw/foundryvtt-logs.yaml
+scenarios:
+  - ./scenarios/eastcw/foundryvtt-bf.yaml
+postoverflows:
+  - ""
+log_file: foundryvtt-bf.log
+log_type: foundryvtt
+labels: {}
+ignore_parsers: true
+override_statics: []
diff --git a/.tests/foundryvtt-bf/foundryvtt-bf.log b/.tests/foundryvtt-bf/foundryvtt-bf.log
new file mode 100644
index 00000000000..d7e934269e6
--- /dev/null
+++ b/.tests/foundryvtt-bf/foundryvtt-bf.log
@@ -0,0 +1,8 @@
+{"ip":"192.168.1.165","level":"warn","message":"Administrator authentication failed for session 51d183ff8c3b547a6a1883df; invalid password","status":403,"timestamp":"2024-06-10 10:29:21"}
+{"ip":"192.168.1.165","level":"warn","message":"User authentication failed for user Gamemaster; invalid password","session":"51d183ff8c3b547a6a1883df","status":401,"timestamp":"2024-06-10 10:29:56"}
+{"ip":"::ffff:192.168.1.114","level":"warn","message":"User authentication failed for user Gamemaster; invalid password","session":"cac2d280a26a838e96e4aaef","status":401,"timestamp":"2024-06-10 21:12:53"}
+{"ip":"::ffff:192.168.1.114","level":"warn","message":"User authentication failed for user Gamemaster; invalid password","session":"cac2d280a26a838e96e4aaef","status":401,"timestamp":"2024-06-10 21:12:54"}
+{"ip":"::ffff:192.168.1.114","level":"warn","message":"User authentication failed for user Gamemaster; invalid password","session":"cac2d280a26a838e96e4aaef","status":401,"timestamp":"2024-06-10 21:12:54"}
+{"ip":"::ffff:192.168.1.114","level":"warn","message":"Administrator authentication failed for session cac2d280a26a838e96e4aaef; invalid password","status":403,"timestamp":"2024-06-10 21:12:59"}
+{"ip":"::ffff:192.168.1.114","level":"warn","message":"Administrator authentication failed for session cac2d280a26a838e96e4aaef; invalid password","status":403,"timestamp":"2024-06-10 21:13:00"}
+{"ip":"::ffff:192.168.1.114","level":"warn","message":"Administrator authentication failed for session cac2d280a26a838e96e4aaef; invalid password","status":403,"timestamp":"2024-06-10 21:13:00"}
\ No newline at end of file
diff --git a/.tests/foundryvtt-bf/parser.assert b/.tests/foundryvtt-bf/parser.assert
new file mode 100644
index 00000000000..e69de29bb2d
diff --git a/.tests/foundryvtt-bf/scenario.assert b/.tests/foundryvtt-bf/scenario.assert
new file mode 100644
index 00000000000..12aba70fe83
--- /dev/null
+++ b/.tests/foundryvtt-bf/scenario.assert
@@ -0,0 +1,54 @@
+len(results) == 1
+"::ffff:192.168.1.114" in results[0].Overflow.GetSources()
+results[0].Overflow.Sources["::ffff:192.168.1.114"].IP == "::ffff:192.168.1.114"
+results[0].Overflow.Sources["::ffff:192.168.1.114"].Range == ""
+results[0].Overflow.Sources["::ffff:192.168.1.114"].GetScope() == "Ip"
+results[0].Overflow.Sources["::ffff:192.168.1.114"].GetValue() == "::ffff:192.168.1.114"
+results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "foundryvtt-bf.log"
+results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file"
+results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "foundryvtt_failed_game_auth"
+results[0].Overflow.Alert.Events[0].GetMeta("service") == "foundryvtt"
+results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "::ffff:192.168.1.114"
+results[0].Overflow.Alert.Events[0].GetMeta("source_session_id") == "cac2d280a26a838e96e4aaef"
+results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2024-06-10T21:12:53Z"
+results[0].Overflow.Alert.Events[0].GetMeta("username") == "Gamemaster"
+results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "foundryvtt-bf.log"
+results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file"
+results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "foundryvtt_failed_game_auth"
+results[0].Overflow.Alert.Events[1].GetMeta("service") == "foundryvtt"
+results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "::ffff:192.168.1.114"
+results[0].Overflow.Alert.Events[1].GetMeta("source_session_id") == "cac2d280a26a838e96e4aaef"
+results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2024-06-10T21:12:54Z"
+results[0].Overflow.Alert.Events[1].GetMeta("username") == "Gamemaster"
+results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "foundryvtt-bf.log"
+results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file"
+results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "foundryvtt_failed_game_auth"
+results[0].Overflow.Alert.Events[2].GetMeta("service") == "foundryvtt"
+results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "::ffff:192.168.1.114"
+results[0].Overflow.Alert.Events[2].GetMeta("source_session_id") == "cac2d280a26a838e96e4aaef"
+results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2024-06-10T21:12:54Z"
+results[0].Overflow.Alert.Events[2].GetMeta("username") == "Gamemaster"
+results[0].Overflow.Alert.Events[3].GetMeta("datasource_path") == "foundryvtt-bf.log"
+results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file"
+results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "foundryvtt_failed_admin_auth"
+results[0].Overflow.Alert.Events[3].GetMeta("service") == "foundryvtt"
+results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "::ffff:192.168.1.114"
+results[0].Overflow.Alert.Events[3].GetMeta("source_session_id") == "cac2d280a26a838e96e4aaef"
+results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2024-06-10T21:12:59Z"
+results[0].Overflow.Alert.Events[4].GetMeta("datasource_path") == "foundryvtt-bf.log"
+results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file"
+results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "foundryvtt_failed_admin_auth"
+results[0].Overflow.Alert.Events[4].GetMeta("service") == "foundryvtt"
+results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "::ffff:192.168.1.114"
+results[0].Overflow.Alert.Events[4].GetMeta("source_session_id") == "cac2d280a26a838e96e4aaef"
+results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2024-06-10T21:13:00Z"
+results[0].Overflow.Alert.Events[5].GetMeta("datasource_path") == "foundryvtt-bf.log"
+results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file"
+results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "foundryvtt_failed_admin_auth"
+results[0].Overflow.Alert.Events[5].GetMeta("service") == "foundryvtt"
+results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "::ffff:192.168.1.114"
+results[0].Overflow.Alert.Events[5].GetMeta("source_session_id") == "cac2d280a26a838e96e4aaef"
+results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2024-06-10T21:13:00Z"
+results[0].Overflow.Alert.GetScenario() == "eastcw/foundryvtt_bf"
+results[0].Overflow.Alert.Remediation == true
+results[0].Overflow.Alert.GetEventsCount() == 6
\ No newline at end of file
diff --git a/.tests/foundryvtt-logs/config.yaml b/.tests/foundryvtt-logs/config.yaml
new file mode 100644
index 00000000000..7ebb93a1ed0
--- /dev/null
+++ b/.tests/foundryvtt-logs/config.yaml
@@ -0,0 +1,13 @@
+parsers:
+  - crowdsecurity/syslog-logs
+  - crowdsecurity/dateparse-enrich
+  - ./parsers/s01-parse/eastcw/foundryvtt-logs.yaml
+scenarios:
+  - ""
+postoverflows:
+  - ""
+log_file: foundryvtt-logs.log
+log_type: foundryvtt
+labels: {}
+ignore_parsers: false
+override_statics: []
diff --git a/.tests/foundryvtt-logs/foundryvtt-logs.log b/.tests/foundryvtt-logs/foundryvtt-logs.log
new file mode 100644
index 00000000000..d7e934269e6
--- /dev/null
+++ b/.tests/foundryvtt-logs/foundryvtt-logs.log
@@ -0,0 +1,8 @@
+{"ip":"192.168.1.165","level":"warn","message":"Administrator authentication failed for session 51d183ff8c3b547a6a1883df; invalid password","status":403,"timestamp":"2024-06-10 10:29:21"}
+{"ip":"192.168.1.165","level":"warn","message":"User authentication failed for user Gamemaster; invalid password","session":"51d183ff8c3b547a6a1883df","status":401,"timestamp":"2024-06-10 10:29:56"}
+{"ip":"::ffff:192.168.1.114","level":"warn","message":"User authentication failed for user Gamemaster; invalid password","session":"cac2d280a26a838e96e4aaef","status":401,"timestamp":"2024-06-10 21:12:53"}
+{"ip":"::ffff:192.168.1.114","level":"warn","message":"User authentication failed for user Gamemaster; invalid password","session":"cac2d280a26a838e96e4aaef","status":401,"timestamp":"2024-06-10 21:12:54"}
+{"ip":"::ffff:192.168.1.114","level":"warn","message":"User authentication failed for user Gamemaster; invalid password","session":"cac2d280a26a838e96e4aaef","status":401,"timestamp":"2024-06-10 21:12:54"}
+{"ip":"::ffff:192.168.1.114","level":"warn","message":"Administrator authentication failed for session cac2d280a26a838e96e4aaef; invalid password","status":403,"timestamp":"2024-06-10 21:12:59"}
+{"ip":"::ffff:192.168.1.114","level":"warn","message":"Administrator authentication failed for session cac2d280a26a838e96e4aaef; invalid password","status":403,"timestamp":"2024-06-10 21:13:00"}
+{"ip":"::ffff:192.168.1.114","level":"warn","message":"Administrator authentication failed for session cac2d280a26a838e96e4aaef; invalid password","status":403,"timestamp":"2024-06-10 21:13:00"}
\ No newline at end of file
diff --git a/.tests/foundryvtt-logs/parser.assert b/.tests/foundryvtt-logs/parser.assert
new file mode 100644
index 00000000000..5ac62976311
--- /dev/null
+++ b/.tests/foundryvtt-logs/parser.assert
@@ -0,0 +1,342 @@
+len(results) == 4
+len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 8
+results["s00-raw"]["crowdsecurity/non-syslog"][0].Success == true
+results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["message"] == "{\"ip\":\"192.168.1.165\",\"level\":\"warn\",\"message\":\"Administrator authentication failed for session 51d183ff8c3b547a6a1883df; invalid password\",\"status\":403,\"timestamp\":\"2024-06-10 10:29:21\"}"
+results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["program"] == "foundryvtt"
+results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_type"] == "file"
+results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"] == "foundryvtt-logs.log"
+results["s00-raw"]["crowdsecurity/non-syslog"][1].Success == true
+results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["message"] == "{\"ip\":\"192.168.1.165\",\"level\":\"warn\",\"message\":\"User authentication failed for user Gamemaster; invalid password\",\"session\":\"51d183ff8c3b547a6a1883df\",\"status\":401,\"timestamp\":\"2024-06-10 10:29:56\"}"
+results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["program"] == "foundryvtt"
+results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_path"] == "foundryvtt-logs.log"
+results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_type"] == "file"
+results["s00-raw"]["crowdsecurity/non-syslog"][2].Success == true
+results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["message"] == "{\"ip\":\"::ffff:192.168.1.114\",\"level\":\"warn\",\"message\":\"User authentication failed for user Gamemaster; invalid password\",\"session\":\"cac2d280a26a838e96e4aaef\",\"status\":401,\"timestamp\":\"2024-06-10 21:12:53\"}"
+results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["program"] == "foundryvtt"
+results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_path"] == "foundryvtt-logs.log"
+results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_type"] == "file"
+results["s00-raw"]["crowdsecurity/non-syslog"][3].Success == true
+results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Parsed["message"] == "{\"ip\":\"::ffff:192.168.1.114\",\"level\":\"warn\",\"message\":\"User authentication failed for user Gamemaster; invalid password\",\"session\":\"cac2d280a26a838e96e4aaef\",\"status\":401,\"timestamp\":\"2024-06-10 21:12:54\"}"
+results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Parsed["program"] == "foundryvtt"
+results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_path"] == "foundryvtt-logs.log"
+results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_type"] == "file"
+results["s00-raw"]["crowdsecurity/non-syslog"][4].Success == true
+results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Parsed["message"] == "{\"ip\":\"::ffff:192.168.1.114\",\"level\":\"warn\",\"message\":\"User authentication failed for user Gamemaster; invalid password\",\"session\":\"cac2d280a26a838e96e4aaef\",\"status\":401,\"timestamp\":\"2024-06-10 21:12:54\"}"
+results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Parsed["program"] == "foundryvtt"
+results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Meta["datasource_path"] == "foundryvtt-logs.log"
+results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Meta["datasource_type"] == "file"
+results["s00-raw"]["crowdsecurity/non-syslog"][5].Success == true
+results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Parsed["message"] == "{\"ip\":\"::ffff:192.168.1.114\",\"level\":\"warn\",\"message\":\"Administrator authentication failed for session cac2d280a26a838e96e4aaef; invalid password\",\"status\":403,\"timestamp\":\"2024-06-10 21:12:59\"}"
+results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Parsed["program"] == "foundryvtt"
+results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Meta["datasource_path"] == "foundryvtt-logs.log"
+results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Meta["datasource_type"] == "file"
+results["s00-raw"]["crowdsecurity/non-syslog"][6].Success == true
+results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Parsed["message"] == "{\"ip\":\"::ffff:192.168.1.114\",\"level\":\"warn\",\"message\":\"Administrator authentication failed for session cac2d280a26a838e96e4aaef; invalid password\",\"status\":403,\"timestamp\":\"2024-06-10 21:13:00\"}"
+results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Parsed["program"] == "foundryvtt"
+results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Meta["datasource_type"] == "file"
+results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Meta["datasource_path"] == "foundryvtt-logs.log"
+results["s00-raw"]["crowdsecurity/non-syslog"][7].Success == true
+results["s00-raw"]["crowdsecurity/non-syslog"][7].Evt.Parsed["message"] == "{\"ip\":\"::ffff:192.168.1.114\",\"level\":\"warn\",\"message\":\"Administrator authentication failed for session cac2d280a26a838e96e4aaef; invalid password\",\"status\":403,\"timestamp\":\"2024-06-10 21:13:00\"}"
+results["s00-raw"]["crowdsecurity/non-syslog"][7].Evt.Parsed["program"] == "foundryvtt"
+results["s00-raw"]["crowdsecurity/non-syslog"][7].Evt.Meta["datasource_path"] == "foundryvtt-logs.log"
+results["s00-raw"]["crowdsecurity/non-syslog"][7].Evt.Meta["datasource_type"] == "file"
+len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 8
+results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == false
+results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == false
+results["s00-raw"]["crowdsecurity/syslog-logs"][2].Success == false
+results["s00-raw"]["crowdsecurity/syslog-logs"][3].Success == false
+results["s00-raw"]["crowdsecurity/syslog-logs"][4].Success == false
+results["s00-raw"]["crowdsecurity/syslog-logs"][5].Success == false
+results["s00-raw"]["crowdsecurity/syslog-logs"][6].Success == false
+results["s00-raw"]["crowdsecurity/syslog-logs"][7].Success == false
+len(results["s01-parse"]["eastcw/foundryvtt-logs"]) == 8
+results["s01-parse"]["eastcw/foundryvtt-logs"][0].Success == true
+results["s01-parse"]["eastcw/foundryvtt-logs"][0].Evt.Parsed["date"] == "2024-06-10"
+results["s01-parse"]["eastcw/foundryvtt-logs"][0].Evt.Parsed["day"] == "10"
+results["s01-parse"]["eastcw/foundryvtt-logs"][0].Evt.Parsed["source_ip"] == "192.168.1.165"
+results["s01-parse"]["eastcw/foundryvtt-logs"][0].Evt.Parsed["time"] == "10:29:21"
+results["s01-parse"]["eastcw/foundryvtt-logs"][0].Evt.Parsed["message"] == "{\"ip\":\"192.168.1.165\",\"level\":\"warn\",\"message\":\"Administrator authentication failed for session 51d183ff8c3b547a6a1883df; invalid password\",\"status\":403,\"timestamp\":\"2024-06-10 10:29:21\"}"
+results["s01-parse"]["eastcw/foundryvtt-logs"][0].Evt.Parsed["month"] == "06"
+results["s01-parse"]["eastcw/foundryvtt-logs"][0].Evt.Parsed["program"] == "foundryvtt"
+results["s01-parse"]["eastcw/foundryvtt-logs"][0].Evt.Parsed["session_id"] == "51d183ff8c3b547a6a1883df"
+results["s01-parse"]["eastcw/foundryvtt-logs"][0].Evt.Parsed["year"] == "2024"
+results["s01-parse"]["eastcw/foundryvtt-logs"][0].Evt.Meta["source_session_id"] == "51d183ff8c3b547a6a1883df"
+results["s01-parse"]["eastcw/foundryvtt-logs"][0].Evt.Meta["datasource_path"] == "foundryvtt-logs.log"
+results["s01-parse"]["eastcw/foundryvtt-logs"][0].Evt.Meta["datasource_type"] == "file"
+results["s01-parse"]["eastcw/foundryvtt-logs"][0].Evt.Meta["log_type"] == "foundryvtt_failed_admin_auth"
+results["s01-parse"]["eastcw/foundryvtt-logs"][0].Evt.Meta["service"] == "foundryvtt"
+results["s01-parse"]["eastcw/foundryvtt-logs"][0].Evt.Meta["source_ip"] == "192.168.1.165"
+results["s01-parse"]["eastcw/foundryvtt-logs"][1].Success == true
+results["s01-parse"]["eastcw/foundryvtt-logs"][1].Evt.Parsed["day"] == "10"
+results["s01-parse"]["eastcw/foundryvtt-logs"][1].Evt.Parsed["program"] == "foundryvtt"
+results["s01-parse"]["eastcw/foundryvtt-logs"][1].Evt.Parsed["session_id"] == "51d183ff8c3b547a6a1883df"
+results["s01-parse"]["eastcw/foundryvtt-logs"][1].Evt.Parsed["source_ip"] == "192.168.1.165"
+results["s01-parse"]["eastcw/foundryvtt-logs"][1].Evt.Parsed["time"] == "10:29:56"
+results["s01-parse"]["eastcw/foundryvtt-logs"][1].Evt.Parsed["username"] == "Gamemaster"
+results["s01-parse"]["eastcw/foundryvtt-logs"][1].Evt.Parsed["date"] == "2024-06-10"
+results["s01-parse"]["eastcw/foundryvtt-logs"][1].Evt.Parsed["month"] == "06"
+results["s01-parse"]["eastcw/foundryvtt-logs"][1].Evt.Parsed["year"] == "2024"
+results["s01-parse"]["eastcw/foundryvtt-logs"][1].Evt.Parsed["message"] == "{\"ip\":\"192.168.1.165\",\"level\":\"warn\",\"message\":\"User authentication failed for user Gamemaster; invalid password\",\"session\":\"51d183ff8c3b547a6a1883df\",\"status\":401,\"timestamp\":\"2024-06-10 10:29:56\"}"
+results["s01-parse"]["eastcw/foundryvtt-logs"][1].Evt.Meta["service"] == "foundryvtt"
+results["s01-parse"]["eastcw/foundryvtt-logs"][1].Evt.Meta["source_ip"] == "192.168.1.165"
+results["s01-parse"]["eastcw/foundryvtt-logs"][1].Evt.Meta["source_session_id"] == "51d183ff8c3b547a6a1883df"
+results["s01-parse"]["eastcw/foundryvtt-logs"][1].Evt.Meta["username"] == "Gamemaster"
+results["s01-parse"]["eastcw/foundryvtt-logs"][1].Evt.Meta["datasource_path"] == "foundryvtt-logs.log"
+results["s01-parse"]["eastcw/foundryvtt-logs"][1].Evt.Meta["datasource_type"] == "file"
+results["s01-parse"]["eastcw/foundryvtt-logs"][1].Evt.Meta["log_type"] == "foundryvtt_failed_game_auth"
+results["s01-parse"]["eastcw/foundryvtt-logs"][2].Success == true
+results["s01-parse"]["eastcw/foundryvtt-logs"][2].Evt.Parsed["date"] == "2024-06-10"
+results["s01-parse"]["eastcw/foundryvtt-logs"][2].Evt.Parsed["program"] == "foundryvtt"
+results["s01-parse"]["eastcw/foundryvtt-logs"][2].Evt.Parsed["source_ip"] == "::ffff:192.168.1.114"
+results["s01-parse"]["eastcw/foundryvtt-logs"][2].Evt.Parsed["time"] == "21:12:53"
+results["s01-parse"]["eastcw/foundryvtt-logs"][2].Evt.Parsed["year"] == "2024"
+results["s01-parse"]["eastcw/foundryvtt-logs"][2].Evt.Parsed["day"] == "10"
+results["s01-parse"]["eastcw/foundryvtt-logs"][2].Evt.Parsed["message"] == "{\"ip\":\"::ffff:192.168.1.114\",\"level\":\"warn\",\"message\":\"User authentication failed for user Gamemaster; invalid password\",\"session\":\"cac2d280a26a838e96e4aaef\",\"status\":401,\"timestamp\":\"2024-06-10 21:12:53\"}"
+results["s01-parse"]["eastcw/foundryvtt-logs"][2].Evt.Parsed["month"] == "06"
+results["s01-parse"]["eastcw/foundryvtt-logs"][2].Evt.Parsed["session_id"] == "cac2d280a26a838e96e4aaef"
+results["s01-parse"]["eastcw/foundryvtt-logs"][2].Evt.Parsed["username"] == "Gamemaster"
+results["s01-parse"]["eastcw/foundryvtt-logs"][2].Evt.Meta["source_ip"] == "::ffff:192.168.1.114"
+results["s01-parse"]["eastcw/foundryvtt-logs"][2].Evt.Meta["source_session_id"] == "cac2d280a26a838e96e4aaef"
+results["s01-parse"]["eastcw/foundryvtt-logs"][2].Evt.Meta["username"] == "Gamemaster"
+results["s01-parse"]["eastcw/foundryvtt-logs"][2].Evt.Meta["datasource_path"] == "foundryvtt-logs.log"
+results["s01-parse"]["eastcw/foundryvtt-logs"][2].Evt.Meta["datasource_type"] == "file"
+results["s01-parse"]["eastcw/foundryvtt-logs"][2].Evt.Meta["log_type"] == "foundryvtt_failed_game_auth"
+results["s01-parse"]["eastcw/foundryvtt-logs"][2].Evt.Meta["service"] == "foundryvtt"
+results["s01-parse"]["eastcw/foundryvtt-logs"][3].Success == true
+results["s01-parse"]["eastcw/foundryvtt-logs"][3].Evt.Parsed["date"] == "2024-06-10"
+results["s01-parse"]["eastcw/foundryvtt-logs"][3].Evt.Parsed["day"] == "10"
+results["s01-parse"]["eastcw/foundryvtt-logs"][3].Evt.Parsed["message"] == "{\"ip\":\"::ffff:192.168.1.114\",\"level\":\"warn\",\"message\":\"User authentication failed for user Gamemaster; invalid password\",\"session\":\"cac2d280a26a838e96e4aaef\",\"status\":401,\"timestamp\":\"2024-06-10 21:12:54\"}"
+results["s01-parse"]["eastcw/foundryvtt-logs"][3].Evt.Parsed["program"] == "foundryvtt"
+results["s01-parse"]["eastcw/foundryvtt-logs"][3].Evt.Parsed["session_id"] == "cac2d280a26a838e96e4aaef"
+results["s01-parse"]["eastcw/foundryvtt-logs"][3].Evt.Parsed["source_ip"] == "::ffff:192.168.1.114"
+results["s01-parse"]["eastcw/foundryvtt-logs"][3].Evt.Parsed["month"] == "06"
+results["s01-parse"]["eastcw/foundryvtt-logs"][3].Evt.Parsed["time"] == "21:12:54"
+results["s01-parse"]["eastcw/foundryvtt-logs"][3].Evt.Parsed["username"] == "Gamemaster"
+results["s01-parse"]["eastcw/foundryvtt-logs"][3].Evt.Parsed["year"] == "2024"
+results["s01-parse"]["eastcw/foundryvtt-logs"][3].Evt.Meta["log_type"] == "foundryvtt_failed_game_auth"
+results["s01-parse"]["eastcw/foundryvtt-logs"][3].Evt.Meta["service"] == "foundryvtt"
+results["s01-parse"]["eastcw/foundryvtt-logs"][3].Evt.Meta["source_ip"] == "::ffff:192.168.1.114"
+results["s01-parse"]["eastcw/foundryvtt-logs"][3].Evt.Meta["source_session_id"] == "cac2d280a26a838e96e4aaef"
+results["s01-parse"]["eastcw/foundryvtt-logs"][3].Evt.Meta["username"] == "Gamemaster"
+results["s01-parse"]["eastcw/foundryvtt-logs"][3].Evt.Meta["datasource_path"] == "foundryvtt-logs.log"
+results["s01-parse"]["eastcw/foundryvtt-logs"][3].Evt.Meta["datasource_type"] == "file"
+results["s01-parse"]["eastcw/foundryvtt-logs"][4].Success == true
+results["s01-parse"]["eastcw/foundryvtt-logs"][4].Evt.Parsed["date"] == "2024-06-10"
+results["s01-parse"]["eastcw/foundryvtt-logs"][4].Evt.Parsed["month"] == "06"
+results["s01-parse"]["eastcw/foundryvtt-logs"][4].Evt.Parsed["program"] == "foundryvtt"
+results["s01-parse"]["eastcw/foundryvtt-logs"][4].Evt.Parsed["time"] == "21:12:54"
+results["s01-parse"]["eastcw/foundryvtt-logs"][4].Evt.Parsed["username"] == "Gamemaster"
+results["s01-parse"]["eastcw/foundryvtt-logs"][4].Evt.Parsed["year"] == "2024"
+results["s01-parse"]["eastcw/foundryvtt-logs"][4].Evt.Parsed["day"] == "10"
+results["s01-parse"]["eastcw/foundryvtt-logs"][4].Evt.Parsed["message"] == "{\"ip\":\"::ffff:192.168.1.114\",\"level\":\"warn\",\"message\":\"User authentication failed for user Gamemaster; invalid password\",\"session\":\"cac2d280a26a838e96e4aaef\",\"status\":401,\"timestamp\":\"2024-06-10 21:12:54\"}"
+results["s01-parse"]["eastcw/foundryvtt-logs"][4].Evt.Parsed["session_id"] == "cac2d280a26a838e96e4aaef"
+results["s01-parse"]["eastcw/foundryvtt-logs"][4].Evt.Parsed["source_ip"] == "::ffff:192.168.1.114"
+results["s01-parse"]["eastcw/foundryvtt-logs"][4].Evt.Meta["service"] == "foundryvtt"
+results["s01-parse"]["eastcw/foundryvtt-logs"][4].Evt.Meta["source_ip"] == "::ffff:192.168.1.114"
+results["s01-parse"]["eastcw/foundryvtt-logs"][4].Evt.Meta["source_session_id"] == "cac2d280a26a838e96e4aaef"
+results["s01-parse"]["eastcw/foundryvtt-logs"][4].Evt.Meta["username"] == "Gamemaster"
+results["s01-parse"]["eastcw/foundryvtt-logs"][4].Evt.Meta["datasource_path"] == "foundryvtt-logs.log"
+results["s01-parse"]["eastcw/foundryvtt-logs"][4].Evt.Meta["datasource_type"] == "file"
+results["s01-parse"]["eastcw/foundryvtt-logs"][4].Evt.Meta["log_type"] == "foundryvtt_failed_game_auth"
+results["s01-parse"]["eastcw/foundryvtt-logs"][5].Success == true
+results["s01-parse"]["eastcw/foundryvtt-logs"][5].Evt.Parsed["month"] == "06"
+results["s01-parse"]["eastcw/foundryvtt-logs"][5].Evt.Parsed["year"] == "2024"
+results["s01-parse"]["eastcw/foundryvtt-logs"][5].Evt.Parsed["date"] == "2024-06-10"
+results["s01-parse"]["eastcw/foundryvtt-logs"][5].Evt.Parsed["day"] == "10"
+results["s01-parse"]["eastcw/foundryvtt-logs"][5].Evt.Parsed["message"] == "{\"ip\":\"::ffff:192.168.1.114\",\"level\":\"warn\",\"message\":\"Administrator authentication failed for session cac2d280a26a838e96e4aaef; invalid password\",\"status\":403,\"timestamp\":\"2024-06-10 21:12:59\"}"
+results["s01-parse"]["eastcw/foundryvtt-logs"][5].Evt.Parsed["program"] == "foundryvtt"
+results["s01-parse"]["eastcw/foundryvtt-logs"][5].Evt.Parsed["session_id"] == "cac2d280a26a838e96e4aaef"
+results["s01-parse"]["eastcw/foundryvtt-logs"][5].Evt.Parsed["source_ip"] == "::ffff:192.168.1.114"
+results["s01-parse"]["eastcw/foundryvtt-logs"][5].Evt.Parsed["time"] == "21:12:59"
+results["s01-parse"]["eastcw/foundryvtt-logs"][5].Evt.Meta["datasource_path"] == "foundryvtt-logs.log"
+results["s01-parse"]["eastcw/foundryvtt-logs"][5].Evt.Meta["datasource_type"] == "file"
+results["s01-parse"]["eastcw/foundryvtt-logs"][5].Evt.Meta["log_type"] == "foundryvtt_failed_admin_auth"
+results["s01-parse"]["eastcw/foundryvtt-logs"][5].Evt.Meta["service"] == "foundryvtt"
+results["s01-parse"]["eastcw/foundryvtt-logs"][5].Evt.Meta["source_ip"] == "::ffff:192.168.1.114"
+results["s01-parse"]["eastcw/foundryvtt-logs"][5].Evt.Meta["source_session_id"] == "cac2d280a26a838e96e4aaef"
+results["s01-parse"]["eastcw/foundryvtt-logs"][6].Success == true
+results["s01-parse"]["eastcw/foundryvtt-logs"][6].Evt.Parsed["program"] == "foundryvtt"
+results["s01-parse"]["eastcw/foundryvtt-logs"][6].Evt.Parsed["session_id"] == "cac2d280a26a838e96e4aaef"
+results["s01-parse"]["eastcw/foundryvtt-logs"][6].Evt.Parsed["year"] == "2024"
+results["s01-parse"]["eastcw/foundryvtt-logs"][6].Evt.Parsed["day"] == "10"
+results["s01-parse"]["eastcw/foundryvtt-logs"][6].Evt.Parsed["message"] == "{\"ip\":\"::ffff:192.168.1.114\",\"level\":\"warn\",\"message\":\"Administrator authentication failed for session cac2d280a26a838e96e4aaef; invalid password\",\"status\":403,\"timestamp\":\"2024-06-10 21:13:00\"}"
+results["s01-parse"]["eastcw/foundryvtt-logs"][6].Evt.Parsed["month"] == "06"
+results["s01-parse"]["eastcw/foundryvtt-logs"][6].Evt.Parsed["date"] == "2024-06-10"
+results["s01-parse"]["eastcw/foundryvtt-logs"][6].Evt.Parsed["source_ip"] == "::ffff:192.168.1.114"
+results["s01-parse"]["eastcw/foundryvtt-logs"][6].Evt.Parsed["time"] == "21:13:00"
+results["s01-parse"]["eastcw/foundryvtt-logs"][6].Evt.Meta["datasource_path"] == "foundryvtt-logs.log"
+results["s01-parse"]["eastcw/foundryvtt-logs"][6].Evt.Meta["datasource_type"] == "file"
+results["s01-parse"]["eastcw/foundryvtt-logs"][6].Evt.Meta["log_type"] == "foundryvtt_failed_admin_auth"
+results["s01-parse"]["eastcw/foundryvtt-logs"][6].Evt.Meta["service"] == "foundryvtt"
+results["s01-parse"]["eastcw/foundryvtt-logs"][6].Evt.Meta["source_ip"] == "::ffff:192.168.1.114"
+results["s01-parse"]["eastcw/foundryvtt-logs"][6].Evt.Meta["source_session_id"] == "cac2d280a26a838e96e4aaef"
+results["s01-parse"]["eastcw/foundryvtt-logs"][7].Success == true
+results["s01-parse"]["eastcw/foundryvtt-logs"][7].Evt.Parsed["date"] == "2024-06-10"
+results["s01-parse"]["eastcw/foundryvtt-logs"][7].Evt.Parsed["message"] == "{\"ip\":\"::ffff:192.168.1.114\",\"level\":\"warn\",\"message\":\"Administrator authentication failed for session cac2d280a26a838e96e4aaef; invalid password\",\"status\":403,\"timestamp\":\"2024-06-10 21:13:00\"}"
+results["s01-parse"]["eastcw/foundryvtt-logs"][7].Evt.Parsed["month"] == "06"
+results["s01-parse"]["eastcw/foundryvtt-logs"][7].Evt.Parsed["source_ip"] == "::ffff:192.168.1.114"
+results["s01-parse"]["eastcw/foundryvtt-logs"][7].Evt.Parsed["time"] == "21:13:00"
+results["s01-parse"]["eastcw/foundryvtt-logs"][7].Evt.Parsed["year"] == "2024"
+results["s01-parse"]["eastcw/foundryvtt-logs"][7].Evt.Parsed["day"] == "10"
+results["s01-parse"]["eastcw/foundryvtt-logs"][7].Evt.Parsed["program"] == "foundryvtt"
+results["s01-parse"]["eastcw/foundryvtt-logs"][7].Evt.Parsed["session_id"] == "cac2d280a26a838e96e4aaef"
+results["s01-parse"]["eastcw/foundryvtt-logs"][7].Evt.Meta["datasource_path"] == "foundryvtt-logs.log"
+results["s01-parse"]["eastcw/foundryvtt-logs"][7].Evt.Meta["datasource_type"] == "file"
+results["s01-parse"]["eastcw/foundryvtt-logs"][7].Evt.Meta["log_type"] == "foundryvtt_failed_admin_auth"
+results["s01-parse"]["eastcw/foundryvtt-logs"][7].Evt.Meta["service"] == "foundryvtt"
+results["s01-parse"]["eastcw/foundryvtt-logs"][7].Evt.Meta["source_ip"] == "::ffff:192.168.1.114"
+results["s01-parse"]["eastcw/foundryvtt-logs"][7].Evt.Meta["source_session_id"] == "cac2d280a26a838e96e4aaef"
+len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 8
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "{\"ip\":\"192.168.1.165\",\"level\":\"warn\",\"message\":\"Administrator authentication failed for session 51d183ff8c3b547a6a1883df; invalid password\",\"status\":403,\"timestamp\":\"2024-06-10 10:29:21\"}"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["month"] == "06"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["session_id"] == "51d183ff8c3b547a6a1883df"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["time"] == "10:29:21"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["year"] == "2024"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["date"] == "2024-06-10"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["day"] == "10"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "foundryvtt"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["source_ip"] == "192.168.1.165"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "192.168.1.165"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_session_id"] == "51d183ff8c3b547a6a1883df"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2024-06-10T10:29:21Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"] == "foundryvtt-logs.log"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "foundryvtt_failed_admin_auth"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "foundryvtt"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2024-06-10T10:29:21Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message"] == "{\"ip\":\"192.168.1.165\",\"level\":\"warn\",\"message\":\"User authentication failed for user Gamemaster; invalid password\",\"session\":\"51d183ff8c3b547a6a1883df\",\"status\":401,\"timestamp\":\"2024-06-10 10:29:56\"}"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["month"] == "06"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] == "foundryvtt"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["session_id"] == "51d183ff8c3b547a6a1883df"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["source_ip"] == "192.168.1.165"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["username"] == "Gamemaster"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["year"] == "2024"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["day"] == "10"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["time"] == "10:29:56"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["date"] == "2024-06-10"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "foundryvtt_failed_game_auth"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "foundryvtt"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "192.168.1.165"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_session_id"] == "51d183ff8c3b547a6a1883df"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2024-06-10T10:29:56Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["username"] == "Gamemaster"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"] == "foundryvtt-logs.log"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"] == "2024-06-10T10:29:56Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Success == true
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["month"] == "06"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["source_ip"] == "::ffff:192.168.1.114"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["date"] == "2024-06-10"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["day"] == "10"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["message"] == "{\"ip\":\"::ffff:192.168.1.114\",\"level\":\"warn\",\"message\":\"User authentication failed for user Gamemaster; invalid password\",\"session\":\"cac2d280a26a838e96e4aaef\",\"status\":401,\"timestamp\":\"2024-06-10 21:12:53\"}"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["username"] == "Gamemaster"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["year"] == "2024"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["program"] == "foundryvtt"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["session_id"] == "cac2d280a26a838e96e4aaef"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["time"] == "21:12:53"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["log_type"] == "foundryvtt_failed_game_auth"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["service"] == "foundryvtt"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_ip"] == "::ffff:192.168.1.114"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_session_id"] == "cac2d280a26a838e96e4aaef"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["timestamp"] == "2024-06-10T21:12:53Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["username"] == "Gamemaster"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"] == "foundryvtt-logs.log"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_type"] == "file"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Enriched["MarshaledTime"] == "2024-06-10T21:12:53Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Success == true
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["session_id"] == "cac2d280a26a838e96e4aaef"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["source_ip"] == "::ffff:192.168.1.114"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["time"] == "21:12:54"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["date"] == "2024-06-10"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["day"] == "10"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["program"] == "foundryvtt"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["username"] == "Gamemaster"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["year"] == "2024"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["message"] == "{\"ip\":\"::ffff:192.168.1.114\",\"level\":\"warn\",\"message\":\"User authentication failed for user Gamemaster; invalid password\",\"session\":\"cac2d280a26a838e96e4aaef\",\"status\":401,\"timestamp\":\"2024-06-10 21:12:54\"}"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["month"] == "06"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_path"] == "foundryvtt-logs.log"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_type"] == "file"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["log_type"] == "foundryvtt_failed_game_auth"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["service"] == "foundryvtt"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["source_ip"] == "::ffff:192.168.1.114"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["source_session_id"] == "cac2d280a26a838e96e4aaef"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["timestamp"] == "2024-06-10T21:12:54Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["username"] == "Gamemaster"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Enriched["MarshaledTime"] == "2024-06-10T21:12:54Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Success == true
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["username"] == "Gamemaster"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["date"] == "2024-06-10"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["message"] == "{\"ip\":\"::ffff:192.168.1.114\",\"level\":\"warn\",\"message\":\"User authentication failed for user Gamemaster; invalid password\",\"session\":\"cac2d280a26a838e96e4aaef\",\"status\":401,\"timestamp\":\"2024-06-10 21:12:54\"}"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["month"] == "06"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["program"] == "foundryvtt"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["session_id"] == "cac2d280a26a838e96e4aaef"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["source_ip"] == "::ffff:192.168.1.114"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["time"] == "21:12:54"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["year"] == "2024"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["day"] == "10"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["source_ip"] == "::ffff:192.168.1.114"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["source_session_id"] == "cac2d280a26a838e96e4aaef"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["timestamp"] == "2024-06-10T21:12:54Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["username"] == "Gamemaster"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_path"] == "foundryvtt-logs.log"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_type"] == "file"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["log_type"] == "foundryvtt_failed_game_auth"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["service"] == "foundryvtt"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Enriched["MarshaledTime"] == "2024-06-10T21:12:54Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Success == true
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["month"] == "06"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["source_ip"] == "::ffff:192.168.1.114"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["year"] == "2024"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["date"] == "2024-06-10"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["day"] == "10"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["message"] == "{\"ip\":\"::ffff:192.168.1.114\",\"level\":\"warn\",\"message\":\"Administrator authentication failed for session cac2d280a26a838e96e4aaef; invalid password\",\"status\":403,\"timestamp\":\"2024-06-10 21:12:59\"}"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["program"] == "foundryvtt"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["session_id"] == "cac2d280a26a838e96e4aaef"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["time"] == "21:12:59"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["timestamp"] == "2024-06-10T21:12:59Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_path"] == "foundryvtt-logs.log"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_type"] == "file"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["log_type"] == "foundryvtt_failed_admin_auth"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["service"] == "foundryvtt"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["source_ip"] == "::ffff:192.168.1.114"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["source_session_id"] == "cac2d280a26a838e96e4aaef"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Enriched["MarshaledTime"] == "2024-06-10T21:12:59Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Success == true
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["date"] == "2024-06-10"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["message"] == "{\"ip\":\"::ffff:192.168.1.114\",\"level\":\"warn\",\"message\":\"Administrator authentication failed for session cac2d280a26a838e96e4aaef; invalid password\",\"status\":403,\"timestamp\":\"2024-06-10 21:13:00\"}"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["program"] == "foundryvtt"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["source_ip"] == "::ffff:192.168.1.114"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["year"] == "2024"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["day"] == "10"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["month"] == "06"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["session_id"] == "cac2d280a26a838e96e4aaef"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["time"] == "21:13:00"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["datasource_path"] == "foundryvtt-logs.log"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["datasource_type"] == "file"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["log_type"] == "foundryvtt_failed_admin_auth"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["service"] == "foundryvtt"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["source_ip"] == "::ffff:192.168.1.114"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["source_session_id"] == "cac2d280a26a838e96e4aaef"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["timestamp"] == "2024-06-10T21:13:00Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Enriched["MarshaledTime"] == "2024-06-10T21:13:00Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Success == true
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["year"] == "2024"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["source_ip"] == "::ffff:192.168.1.114"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["time"] == "21:13:00"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["date"] == "2024-06-10"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["day"] == "10"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["message"] == "{\"ip\":\"::ffff:192.168.1.114\",\"level\":\"warn\",\"message\":\"Administrator authentication failed for session cac2d280a26a838e96e4aaef; invalid password\",\"status\":403,\"timestamp\":\"2024-06-10 21:13:00\"}"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["month"] == "06"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["program"] == "foundryvtt"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["session_id"] == "cac2d280a26a838e96e4aaef"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["service"] == "foundryvtt"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["source_ip"] == "::ffff:192.168.1.114"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["source_session_id"] == "cac2d280a26a838e96e4aaef"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["timestamp"] == "2024-06-10T21:13:00Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["datasource_path"] == "foundryvtt-logs.log"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["datasource_type"] == "file"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["log_type"] == "foundryvtt_failed_admin_auth"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Enriched["MarshaledTime"] == "2024-06-10T21:13:00Z"
+len(results["success"][""]) == 0
\ No newline at end of file
diff --git a/.tests/foundryvtt-logs/scenario.assert b/.tests/foundryvtt-logs/scenario.assert
new file mode 100644
index 00000000000..e69de29bb2d
diff --git a/collections/eastcw/foundryvtt.md b/collections/eastcw/foundryvtt.md
new file mode 100644
index 00000000000..3c96e876339
--- /dev/null
+++ b/collections/eastcw/foundryvtt.md
@@ -0,0 +1,50 @@
+A collection to defend [Foundry VTT](https://foundryvtt.com/) server instances against brute force attacks:
+
+- Foundry VTT parser
+- Foundry VTT brute force detection
+
+## Acquisition Templates
+
+See example acquisitions for this collection below. Foundry V12 changed the way logs are generated and now creates a new file daily.
+
+### For Foundry V11 and lower
+
+If using LOG_FILE environment variable:
+
+```yaml
+---
+filenames:
+  - /PATH_TO_YOUR_FOUNDRY_DATA/Logs/debug.log
+labels:
+  type: foundryvtt
+```
+
+If running via systemd:
+
+```yaml
+---
+filenames:
+  - /PATH_TO_YOUR_FOUNDRY_DATA/Logs/debug.log
+  type: foundryvtt
+```
+
+### For Foundry V12 and up
+
+If using LOG_FILE environment variable:
+
+```yaml
+---
+filenames:
+  - /PATH_TO_YOUR_FOUNDRY_DATA/Logs/debug.*.log
+labels:
+  type: foundryvtt
+```
+
+If running via systemd:
+
+```yaml
+---
+filenames:
+  - /PATH_TO_YOUR_FOUNDRY_DATA/Logs/debug.*.log
+  type: foundryvtt
+```
diff --git a/collections/eastcw/foundryvtt.yaml b/collections/eastcw/foundryvtt.yaml
new file mode 100644
index 00000000000..c6c43de5f60
--- /dev/null
+++ b/collections/eastcw/foundryvtt.yaml
@@ -0,0 +1,10 @@
+parsers:
+  - eastcw/foundryvtt-logs
+scenarios:
+  - eastcw/foundryvtt-bf
+description: "Foundry VTT log parsing and bruteforce protection"
+author: eastcw
+tags:
+  - linux
+  - brute-force
+  - foundryvtt
diff --git a/parsers/s01-parse/eastcw/foundryvtt-logs.md b/parsers/s01-parse/eastcw/foundryvtt-logs.md
new file mode 100644
index 00000000000..be22f45d849
--- /dev/null
+++ b/parsers/s01-parse/eastcw/foundryvtt-logs.md
@@ -0,0 +1,47 @@
+Parser for [Foundry VTT](https://foundryvtt.com/) server logs.
+
+## Acquisition Templates
+
+See example acquisitions for this collection below. Foundry V12 changed the way logs are generated and now creates a new file daily.
+
+### For Foundry V11 and lower
+
+If using LOG_FILE environment variable:
+
+```yaml
+---
+filenames:
+  - /PATH_TO_YOUR_FOUNDRY_DATA/Logs/debug.log
+labels:
+  type: foundryvtt
+```
+
+If running via systemd:
+
+```yaml
+---
+filenames:
+  - /PATH_TO_YOUR_FOUNDRY_DATA/Logs/debug.log
+  type: foundryvtt
+```
+
+### For Foundry V12 and up
+
+If using LOG_FILE environment variable:
+
+```yaml
+---
+filenames:
+  - /PATH_TO_YOUR_FOUNDRY_DATA/Logs/debug.*.log
+labels:
+  type: foundryvtt
+```
+
+If running via systemd:
+
+```yaml
+---
+filenames:
+  - /PATH_TO_YOUR_FOUNDRY_DATA/Logs/debug.*.log
+  type: foundryvtt
+```
diff --git a/parsers/s01-parse/eastcw/foundryvtt-logs.yaml b/parsers/s01-parse/eastcw/foundryvtt-logs.yaml
new file mode 100644
index 00000000000..2705f9b28fd
--- /dev/null
+++ b/parsers/s01-parse/eastcw/foundryvtt-logs.yaml
@@ -0,0 +1,33 @@
+name: eastcw/foundryvtt-logs
+description: "Parse Foundry VTT logs"
+filter: "evt.Parsed.program == 'foundryvtt'"
+debug: true
+onsuccess: next_stage
+pattern_syntax:
+  DATE_YMD: "%{YEAR:year}-%{MONTHNUM:month}-%{MONTHDAY:day}"
+
+nodes:
+  - grok:
+      pattern: '\{"ip":"%{IP:source_ip}","level":"warn","message":"Administrator authentication failed for session %{BASE16NUM:session_id}; invalid password","status":403,"timestamp":"%{DATE_YMD:date} %{TIME:time}"}'
+      apply_on: message
+      statics:
+        - meta: log_type
+          value: foundryvtt_failed_admin_auth
+  - grok:
+      pattern: '\{"ip":"%{IP:source_ip}","level":"warn","message":"User authentication failed for user %{USERNAME:username}; invalid password","session":"%{BASE16NUM:session_id}","status":401,"timestamp":"%{DATE_YMD:date} %{TIME:time}"}'
+      apply_on: message
+      statics:
+        - meta: log_type
+          value: foundryvtt_failed_game_auth
+        - meta: username
+          expression: evt.Parsed.username
+
+statics:
+  - meta: service
+    value: foundryvtt
+  - meta: source_ip
+    expression: evt.Parsed.source_ip
+  - meta: source_session_id
+    expression: evt.Parsed.session_id
+  - target: evt.StrTime
+    expression: evt.Parsed.date + ' ' + evt.Parsed.time
diff --git a/scenarios/eastcw/foundryvtt-bf.md b/scenarios/eastcw/foundryvtt-bf.md
new file mode 100644
index 00000000000..f2f9154d2f6
--- /dev/null
+++ b/scenarios/eastcw/foundryvtt-bf.md
@@ -0,0 +1,3 @@
+Detect failed Foundry VTT authentications.
+
+Leakspeed of 30s, capacity of 5 on source IP.
diff --git a/scenarios/eastcw/foundryvtt-bf.yaml b/scenarios/eastcw/foundryvtt-bf.yaml
new file mode 100644
index 00000000000..5a12df8be37
--- /dev/null
+++ b/scenarios/eastcw/foundryvtt-bf.yaml
@@ -0,0 +1,18 @@
+type: leaky
+name: eastcw/foundryvtt_bf
+description: "Detect Foundry VTT bruteforce"
+
+filter: "evt.Meta.log_type in ['foundryvtt_failed_admin_auth', 'foundryvtt_failed_game_auth']"
+leakspeed: 30s
+capacity: 5
+groupby: evt.Meta.source_ip
+blackhole: 5m
+reprocess: true
+labels:
+  service: foundryvtt
+  behavior: "generic:bruteforce"
+  classification: attack.T1110
+  label: "Foundry VTT Bruteforce"
+  spoofable: 0
+  confidence: 3
+  remediation: true

From ca9d0c210470b03799aec8c10c9d39b11ee9a80b Mon Sep 17 00:00:00 2001
From: Cameron East <25549143+eastcw@users.noreply.github.com>
Date: Mon, 24 Jun 2024 12:59:32 +0100
Subject: [PATCH 2/3] changed parser to use UnmarshalJSON & cleared up review
 points

---
 .tests/foundryvtt-bf/scenario.assert          |  41 +-
 .tests/foundryvtt-logs/parser.assert          | 380 +++++++++---------
 collections/eastcw/foundryvtt.md              |  14 +
 parsers/s01-parse/eastcw/foundryvtt-logs.yaml |  56 +--
 scenarios/eastcw/foundryvtt-bf.yaml           |  24 +-
 5 files changed, 280 insertions(+), 235 deletions(-)

diff --git a/.tests/foundryvtt-bf/scenario.assert b/.tests/foundryvtt-bf/scenario.assert
index 12aba70fe83..4d67e2feb63 100644
--- a/.tests/foundryvtt-bf/scenario.assert
+++ b/.tests/foundryvtt-bf/scenario.assert
@@ -6,49 +6,52 @@ results[0].Overflow.Sources["::ffff:192.168.1.114"].GetScope() == "Ip"
 results[0].Overflow.Sources["::ffff:192.168.1.114"].GetValue() == "::ffff:192.168.1.114"
 results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "foundryvtt-bf.log"
 results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file"
+results[0].Overflow.Alert.Events[0].GetMeta("level") == "warn"
 results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "foundryvtt_failed_game_auth"
-results[0].Overflow.Alert.Events[0].GetMeta("service") == "foundryvtt"
+results[0].Overflow.Alert.Events[0].GetMeta("message") == "User authentication failed for user Gamemaster; invalid password"
 results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "::ffff:192.168.1.114"
-results[0].Overflow.Alert.Events[0].GetMeta("source_session_id") == "cac2d280a26a838e96e4aaef"
+results[0].Overflow.Alert.Events[0].GetMeta("status") == "401.000000"
 results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2024-06-10T21:12:53Z"
-results[0].Overflow.Alert.Events[0].GetMeta("username") == "Gamemaster"
 results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "foundryvtt-bf.log"
 results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file"
+results[0].Overflow.Alert.Events[1].GetMeta("level") == "warn"
 results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "foundryvtt_failed_game_auth"
-results[0].Overflow.Alert.Events[1].GetMeta("service") == "foundryvtt"
+results[0].Overflow.Alert.Events[1].GetMeta("message") == "User authentication failed for user Gamemaster; invalid password"
 results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "::ffff:192.168.1.114"
-results[0].Overflow.Alert.Events[1].GetMeta("source_session_id") == "cac2d280a26a838e96e4aaef"
+results[0].Overflow.Alert.Events[1].GetMeta("status") == "401.000000"
 results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2024-06-10T21:12:54Z"
-results[0].Overflow.Alert.Events[1].GetMeta("username") == "Gamemaster"
 results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "foundryvtt-bf.log"
 results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file"
+results[0].Overflow.Alert.Events[2].GetMeta("level") == "warn"
 results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "foundryvtt_failed_game_auth"
-results[0].Overflow.Alert.Events[2].GetMeta("service") == "foundryvtt"
+results[0].Overflow.Alert.Events[2].GetMeta("message") == "User authentication failed for user Gamemaster; invalid password"
 results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "::ffff:192.168.1.114"
-results[0].Overflow.Alert.Events[2].GetMeta("source_session_id") == "cac2d280a26a838e96e4aaef"
+results[0].Overflow.Alert.Events[2].GetMeta("status") == "401.000000"
 results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2024-06-10T21:12:54Z"
-results[0].Overflow.Alert.Events[2].GetMeta("username") == "Gamemaster"
 results[0].Overflow.Alert.Events[3].GetMeta("datasource_path") == "foundryvtt-bf.log"
 results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file"
-results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "foundryvtt_failed_admin_auth"
-results[0].Overflow.Alert.Events[3].GetMeta("service") == "foundryvtt"
+results[0].Overflow.Alert.Events[3].GetMeta("level") == "warn"
+results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "foundryvtt_failed_game_auth"
+results[0].Overflow.Alert.Events[3].GetMeta("message") == "Administrator authentication failed for session cac2d280a26a838e96e4aaef; invalid password"
 results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "::ffff:192.168.1.114"
-results[0].Overflow.Alert.Events[3].GetMeta("source_session_id") == "cac2d280a26a838e96e4aaef"
+results[0].Overflow.Alert.Events[3].GetMeta("status") == "403.000000"
 results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2024-06-10T21:12:59Z"
 results[0].Overflow.Alert.Events[4].GetMeta("datasource_path") == "foundryvtt-bf.log"
 results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file"
-results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "foundryvtt_failed_admin_auth"
-results[0].Overflow.Alert.Events[4].GetMeta("service") == "foundryvtt"
+results[0].Overflow.Alert.Events[4].GetMeta("level") == "warn"
+results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "foundryvtt_failed_game_auth"
+results[0].Overflow.Alert.Events[4].GetMeta("message") == "Administrator authentication failed for session cac2d280a26a838e96e4aaef; invalid password"
 results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "::ffff:192.168.1.114"
-results[0].Overflow.Alert.Events[4].GetMeta("source_session_id") == "cac2d280a26a838e96e4aaef"
+results[0].Overflow.Alert.Events[4].GetMeta("status") == "403.000000"
 results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2024-06-10T21:13:00Z"
 results[0].Overflow.Alert.Events[5].GetMeta("datasource_path") == "foundryvtt-bf.log"
 results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file"
-results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "foundryvtt_failed_admin_auth"
-results[0].Overflow.Alert.Events[5].GetMeta("service") == "foundryvtt"
+results[0].Overflow.Alert.Events[5].GetMeta("level") == "warn"
+results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "foundryvtt_failed_game_auth"
+results[0].Overflow.Alert.Events[5].GetMeta("message") == "Administrator authentication failed for session cac2d280a26a838e96e4aaef; invalid password"
 results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "::ffff:192.168.1.114"
-results[0].Overflow.Alert.Events[5].GetMeta("source_session_id") == "cac2d280a26a838e96e4aaef"
+results[0].Overflow.Alert.Events[5].GetMeta("status") == "403.000000"
 results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2024-06-10T21:13:00Z"
-results[0].Overflow.Alert.GetScenario() == "eastcw/foundryvtt_bf"
+results[0].Overflow.Alert.GetScenario() == "eastcw/foundryvtt_fast_bf"
 results[0].Overflow.Alert.Remediation == true
 results[0].Overflow.Alert.GetEventsCount() == 6
\ No newline at end of file
diff --git a/.tests/foundryvtt-logs/parser.assert b/.tests/foundryvtt-logs/parser.assert
index 5ac62976311..c54d0dfdbba 100644
--- a/.tests/foundryvtt-logs/parser.assert
+++ b/.tests/foundryvtt-logs/parser.assert
@@ -3,43 +3,51 @@ len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 8
 results["s00-raw"]["crowdsecurity/non-syslog"][0].Success == true
 results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["message"] == "{\"ip\":\"192.168.1.165\",\"level\":\"warn\",\"message\":\"Administrator authentication failed for session 51d183ff8c3b547a6a1883df; invalid password\",\"status\":403,\"timestamp\":\"2024-06-10 10:29:21\"}"
 results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["program"] == "foundryvtt"
-results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_type"] == "file"
 results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"] == "foundryvtt-logs.log"
+results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_type"] == "file"
+results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Whitelisted == false
 results["s00-raw"]["crowdsecurity/non-syslog"][1].Success == true
 results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["message"] == "{\"ip\":\"192.168.1.165\",\"level\":\"warn\",\"message\":\"User authentication failed for user Gamemaster; invalid password\",\"session\":\"51d183ff8c3b547a6a1883df\",\"status\":401,\"timestamp\":\"2024-06-10 10:29:56\"}"
 results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["program"] == "foundryvtt"
 results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_path"] == "foundryvtt-logs.log"
 results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_type"] == "file"
+results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Whitelisted == false
 results["s00-raw"]["crowdsecurity/non-syslog"][2].Success == true
 results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["message"] == "{\"ip\":\"::ffff:192.168.1.114\",\"level\":\"warn\",\"message\":\"User authentication failed for user Gamemaster; invalid password\",\"session\":\"cac2d280a26a838e96e4aaef\",\"status\":401,\"timestamp\":\"2024-06-10 21:12:53\"}"
 results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["program"] == "foundryvtt"
 results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_path"] == "foundryvtt-logs.log"
 results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_type"] == "file"
+results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Whitelisted == false
 results["s00-raw"]["crowdsecurity/non-syslog"][3].Success == true
 results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Parsed["message"] == "{\"ip\":\"::ffff:192.168.1.114\",\"level\":\"warn\",\"message\":\"User authentication failed for user Gamemaster; invalid password\",\"session\":\"cac2d280a26a838e96e4aaef\",\"status\":401,\"timestamp\":\"2024-06-10 21:12:54\"}"
 results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Parsed["program"] == "foundryvtt"
 results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_path"] == "foundryvtt-logs.log"
 results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Meta["datasource_type"] == "file"
+results["s00-raw"]["crowdsecurity/non-syslog"][3].Evt.Whitelisted == false
 results["s00-raw"]["crowdsecurity/non-syslog"][4].Success == true
 results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Parsed["message"] == "{\"ip\":\"::ffff:192.168.1.114\",\"level\":\"warn\",\"message\":\"User authentication failed for user Gamemaster; invalid password\",\"session\":\"cac2d280a26a838e96e4aaef\",\"status\":401,\"timestamp\":\"2024-06-10 21:12:54\"}"
 results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Parsed["program"] == "foundryvtt"
 results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Meta["datasource_path"] == "foundryvtt-logs.log"
 results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Meta["datasource_type"] == "file"
+results["s00-raw"]["crowdsecurity/non-syslog"][4].Evt.Whitelisted == false
 results["s00-raw"]["crowdsecurity/non-syslog"][5].Success == true
 results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Parsed["message"] == "{\"ip\":\"::ffff:192.168.1.114\",\"level\":\"warn\",\"message\":\"Administrator authentication failed for session cac2d280a26a838e96e4aaef; invalid password\",\"status\":403,\"timestamp\":\"2024-06-10 21:12:59\"}"
 results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Parsed["program"] == "foundryvtt"
 results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Meta["datasource_path"] == "foundryvtt-logs.log"
 results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Meta["datasource_type"] == "file"
+results["s00-raw"]["crowdsecurity/non-syslog"][5].Evt.Whitelisted == false
 results["s00-raw"]["crowdsecurity/non-syslog"][6].Success == true
 results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Parsed["message"] == "{\"ip\":\"::ffff:192.168.1.114\",\"level\":\"warn\",\"message\":\"Administrator authentication failed for session cac2d280a26a838e96e4aaef; invalid password\",\"status\":403,\"timestamp\":\"2024-06-10 21:13:00\"}"
 results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Parsed["program"] == "foundryvtt"
-results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Meta["datasource_type"] == "file"
 results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Meta["datasource_path"] == "foundryvtt-logs.log"
+results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Meta["datasource_type"] == "file"
+results["s00-raw"]["crowdsecurity/non-syslog"][6].Evt.Whitelisted == false
 results["s00-raw"]["crowdsecurity/non-syslog"][7].Success == true
 results["s00-raw"]["crowdsecurity/non-syslog"][7].Evt.Parsed["message"] == "{\"ip\":\"::ffff:192.168.1.114\",\"level\":\"warn\",\"message\":\"Administrator authentication failed for session cac2d280a26a838e96e4aaef; invalid password\",\"status\":403,\"timestamp\":\"2024-06-10 21:13:00\"}"
 results["s00-raw"]["crowdsecurity/non-syslog"][7].Evt.Parsed["program"] == "foundryvtt"
 results["s00-raw"]["crowdsecurity/non-syslog"][7].Evt.Meta["datasource_path"] == "foundryvtt-logs.log"
 results["s00-raw"]["crowdsecurity/non-syslog"][7].Evt.Meta["datasource_type"] == "file"
+results["s00-raw"]["crowdsecurity/non-syslog"][7].Evt.Whitelisted == false
 len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 8
 results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == false
 results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == false
@@ -51,292 +59,284 @@ results["s00-raw"]["crowdsecurity/syslog-logs"][6].Success == false
 results["s00-raw"]["crowdsecurity/syslog-logs"][7].Success == false
 len(results["s01-parse"]["eastcw/foundryvtt-logs"]) == 8
 results["s01-parse"]["eastcw/foundryvtt-logs"][0].Success == true
-results["s01-parse"]["eastcw/foundryvtt-logs"][0].Evt.Parsed["date"] == "2024-06-10"
-results["s01-parse"]["eastcw/foundryvtt-logs"][0].Evt.Parsed["day"] == "10"
-results["s01-parse"]["eastcw/foundryvtt-logs"][0].Evt.Parsed["source_ip"] == "192.168.1.165"
-results["s01-parse"]["eastcw/foundryvtt-logs"][0].Evt.Parsed["time"] == "10:29:21"
 results["s01-parse"]["eastcw/foundryvtt-logs"][0].Evt.Parsed["message"] == "{\"ip\":\"192.168.1.165\",\"level\":\"warn\",\"message\":\"Administrator authentication failed for session 51d183ff8c3b547a6a1883df; invalid password\",\"status\":403,\"timestamp\":\"2024-06-10 10:29:21\"}"
-results["s01-parse"]["eastcw/foundryvtt-logs"][0].Evt.Parsed["month"] == "06"
 results["s01-parse"]["eastcw/foundryvtt-logs"][0].Evt.Parsed["program"] == "foundryvtt"
-results["s01-parse"]["eastcw/foundryvtt-logs"][0].Evt.Parsed["session_id"] == "51d183ff8c3b547a6a1883df"
-results["s01-parse"]["eastcw/foundryvtt-logs"][0].Evt.Parsed["year"] == "2024"
-results["s01-parse"]["eastcw/foundryvtt-logs"][0].Evt.Meta["source_session_id"] == "51d183ff8c3b547a6a1883df"
 results["s01-parse"]["eastcw/foundryvtt-logs"][0].Evt.Meta["datasource_path"] == "foundryvtt-logs.log"
 results["s01-parse"]["eastcw/foundryvtt-logs"][0].Evt.Meta["datasource_type"] == "file"
-results["s01-parse"]["eastcw/foundryvtt-logs"][0].Evt.Meta["log_type"] == "foundryvtt_failed_admin_auth"
-results["s01-parse"]["eastcw/foundryvtt-logs"][0].Evt.Meta["service"] == "foundryvtt"
+results["s01-parse"]["eastcw/foundryvtt-logs"][0].Evt.Meta["level"] == "warn"
+results["s01-parse"]["eastcw/foundryvtt-logs"][0].Evt.Meta["log_type"] == "foundryvtt_failed_game_auth"
+results["s01-parse"]["eastcw/foundryvtt-logs"][0].Evt.Meta["message"] == "Administrator authentication failed for session 51d183ff8c3b547a6a1883df; invalid password"
 results["s01-parse"]["eastcw/foundryvtt-logs"][0].Evt.Meta["source_ip"] == "192.168.1.165"
+results["s01-parse"]["eastcw/foundryvtt-logs"][0].Evt.Meta["status"] == "403.000000"
+results["s01-parse"]["eastcw/foundryvtt-logs"][0].Evt.Unmarshaled["foundryvtt"]["ip"] == "192.168.1.165"
+results["s01-parse"]["eastcw/foundryvtt-logs"][0].Evt.Unmarshaled["foundryvtt"]["level"] == "warn"
+results["s01-parse"]["eastcw/foundryvtt-logs"][0].Evt.Unmarshaled["foundryvtt"]["message"] == "Administrator authentication failed for session 51d183ff8c3b547a6a1883df; invalid password"
+results["s01-parse"]["eastcw/foundryvtt-logs"][0].Evt.Unmarshaled["foundryvtt"]["status"] == 403
+results["s01-parse"]["eastcw/foundryvtt-logs"][0].Evt.Unmarshaled["foundryvtt"]["timestamp"] == "2024-06-10 10:29:21"
+results["s01-parse"]["eastcw/foundryvtt-logs"][0].Evt.Whitelisted == false
 results["s01-parse"]["eastcw/foundryvtt-logs"][1].Success == true
-results["s01-parse"]["eastcw/foundryvtt-logs"][1].Evt.Parsed["day"] == "10"
-results["s01-parse"]["eastcw/foundryvtt-logs"][1].Evt.Parsed["program"] == "foundryvtt"
-results["s01-parse"]["eastcw/foundryvtt-logs"][1].Evt.Parsed["session_id"] == "51d183ff8c3b547a6a1883df"
-results["s01-parse"]["eastcw/foundryvtt-logs"][1].Evt.Parsed["source_ip"] == "192.168.1.165"
-results["s01-parse"]["eastcw/foundryvtt-logs"][1].Evt.Parsed["time"] == "10:29:56"
-results["s01-parse"]["eastcw/foundryvtt-logs"][1].Evt.Parsed["username"] == "Gamemaster"
-results["s01-parse"]["eastcw/foundryvtt-logs"][1].Evt.Parsed["date"] == "2024-06-10"
-results["s01-parse"]["eastcw/foundryvtt-logs"][1].Evt.Parsed["month"] == "06"
-results["s01-parse"]["eastcw/foundryvtt-logs"][1].Evt.Parsed["year"] == "2024"
 results["s01-parse"]["eastcw/foundryvtt-logs"][1].Evt.Parsed["message"] == "{\"ip\":\"192.168.1.165\",\"level\":\"warn\",\"message\":\"User authentication failed for user Gamemaster; invalid password\",\"session\":\"51d183ff8c3b547a6a1883df\",\"status\":401,\"timestamp\":\"2024-06-10 10:29:56\"}"
-results["s01-parse"]["eastcw/foundryvtt-logs"][1].Evt.Meta["service"] == "foundryvtt"
-results["s01-parse"]["eastcw/foundryvtt-logs"][1].Evt.Meta["source_ip"] == "192.168.1.165"
-results["s01-parse"]["eastcw/foundryvtt-logs"][1].Evt.Meta["source_session_id"] == "51d183ff8c3b547a6a1883df"
-results["s01-parse"]["eastcw/foundryvtt-logs"][1].Evt.Meta["username"] == "Gamemaster"
+results["s01-parse"]["eastcw/foundryvtt-logs"][1].Evt.Parsed["program"] == "foundryvtt"
 results["s01-parse"]["eastcw/foundryvtt-logs"][1].Evt.Meta["datasource_path"] == "foundryvtt-logs.log"
 results["s01-parse"]["eastcw/foundryvtt-logs"][1].Evt.Meta["datasource_type"] == "file"
+results["s01-parse"]["eastcw/foundryvtt-logs"][1].Evt.Meta["level"] == "warn"
 results["s01-parse"]["eastcw/foundryvtt-logs"][1].Evt.Meta["log_type"] == "foundryvtt_failed_game_auth"
+results["s01-parse"]["eastcw/foundryvtt-logs"][1].Evt.Meta["message"] == "User authentication failed for user Gamemaster; invalid password"
+results["s01-parse"]["eastcw/foundryvtt-logs"][1].Evt.Meta["source_ip"] == "192.168.1.165"
+results["s01-parse"]["eastcw/foundryvtt-logs"][1].Evt.Meta["status"] == "401.000000"
+results["s01-parse"]["eastcw/foundryvtt-logs"][1].Evt.Unmarshaled["foundryvtt"]["timestamp"] == "2024-06-10 10:29:56"
+results["s01-parse"]["eastcw/foundryvtt-logs"][1].Evt.Unmarshaled["foundryvtt"]["ip"] == "192.168.1.165"
+results["s01-parse"]["eastcw/foundryvtt-logs"][1].Evt.Unmarshaled["foundryvtt"]["level"] == "warn"
+results["s01-parse"]["eastcw/foundryvtt-logs"][1].Evt.Unmarshaled["foundryvtt"]["message"] == "User authentication failed for user Gamemaster; invalid password"
+results["s01-parse"]["eastcw/foundryvtt-logs"][1].Evt.Unmarshaled["foundryvtt"]["session"] == "51d183ff8c3b547a6a1883df"
+results["s01-parse"]["eastcw/foundryvtt-logs"][1].Evt.Unmarshaled["foundryvtt"]["status"] == 401
+results["s01-parse"]["eastcw/foundryvtt-logs"][1].Evt.Whitelisted == false
 results["s01-parse"]["eastcw/foundryvtt-logs"][2].Success == true
-results["s01-parse"]["eastcw/foundryvtt-logs"][2].Evt.Parsed["date"] == "2024-06-10"
-results["s01-parse"]["eastcw/foundryvtt-logs"][2].Evt.Parsed["program"] == "foundryvtt"
-results["s01-parse"]["eastcw/foundryvtt-logs"][2].Evt.Parsed["source_ip"] == "::ffff:192.168.1.114"
-results["s01-parse"]["eastcw/foundryvtt-logs"][2].Evt.Parsed["time"] == "21:12:53"
-results["s01-parse"]["eastcw/foundryvtt-logs"][2].Evt.Parsed["year"] == "2024"
-results["s01-parse"]["eastcw/foundryvtt-logs"][2].Evt.Parsed["day"] == "10"
 results["s01-parse"]["eastcw/foundryvtt-logs"][2].Evt.Parsed["message"] == "{\"ip\":\"::ffff:192.168.1.114\",\"level\":\"warn\",\"message\":\"User authentication failed for user Gamemaster; invalid password\",\"session\":\"cac2d280a26a838e96e4aaef\",\"status\":401,\"timestamp\":\"2024-06-10 21:12:53\"}"
-results["s01-parse"]["eastcw/foundryvtt-logs"][2].Evt.Parsed["month"] == "06"
-results["s01-parse"]["eastcw/foundryvtt-logs"][2].Evt.Parsed["session_id"] == "cac2d280a26a838e96e4aaef"
-results["s01-parse"]["eastcw/foundryvtt-logs"][2].Evt.Parsed["username"] == "Gamemaster"
-results["s01-parse"]["eastcw/foundryvtt-logs"][2].Evt.Meta["source_ip"] == "::ffff:192.168.1.114"
-results["s01-parse"]["eastcw/foundryvtt-logs"][2].Evt.Meta["source_session_id"] == "cac2d280a26a838e96e4aaef"
-results["s01-parse"]["eastcw/foundryvtt-logs"][2].Evt.Meta["username"] == "Gamemaster"
+results["s01-parse"]["eastcw/foundryvtt-logs"][2].Evt.Parsed["program"] == "foundryvtt"
 results["s01-parse"]["eastcw/foundryvtt-logs"][2].Evt.Meta["datasource_path"] == "foundryvtt-logs.log"
 results["s01-parse"]["eastcw/foundryvtt-logs"][2].Evt.Meta["datasource_type"] == "file"
+results["s01-parse"]["eastcw/foundryvtt-logs"][2].Evt.Meta["level"] == "warn"
 results["s01-parse"]["eastcw/foundryvtt-logs"][2].Evt.Meta["log_type"] == "foundryvtt_failed_game_auth"
-results["s01-parse"]["eastcw/foundryvtt-logs"][2].Evt.Meta["service"] == "foundryvtt"
+results["s01-parse"]["eastcw/foundryvtt-logs"][2].Evt.Meta["message"] == "User authentication failed for user Gamemaster; invalid password"
+results["s01-parse"]["eastcw/foundryvtt-logs"][2].Evt.Meta["source_ip"] == "::ffff:192.168.1.114"
+results["s01-parse"]["eastcw/foundryvtt-logs"][2].Evt.Meta["status"] == "401.000000"
+results["s01-parse"]["eastcw/foundryvtt-logs"][2].Evt.Unmarshaled["foundryvtt"]["message"] == "User authentication failed for user Gamemaster; invalid password"
+results["s01-parse"]["eastcw/foundryvtt-logs"][2].Evt.Unmarshaled["foundryvtt"]["session"] == "cac2d280a26a838e96e4aaef"
+results["s01-parse"]["eastcw/foundryvtt-logs"][2].Evt.Unmarshaled["foundryvtt"]["status"] == 401
+results["s01-parse"]["eastcw/foundryvtt-logs"][2].Evt.Unmarshaled["foundryvtt"]["timestamp"] == "2024-06-10 21:12:53"
+results["s01-parse"]["eastcw/foundryvtt-logs"][2].Evt.Unmarshaled["foundryvtt"]["ip"] == "::ffff:192.168.1.114"
+results["s01-parse"]["eastcw/foundryvtt-logs"][2].Evt.Unmarshaled["foundryvtt"]["level"] == "warn"
+results["s01-parse"]["eastcw/foundryvtt-logs"][2].Evt.Whitelisted == false
 results["s01-parse"]["eastcw/foundryvtt-logs"][3].Success == true
-results["s01-parse"]["eastcw/foundryvtt-logs"][3].Evt.Parsed["date"] == "2024-06-10"
-results["s01-parse"]["eastcw/foundryvtt-logs"][3].Evt.Parsed["day"] == "10"
 results["s01-parse"]["eastcw/foundryvtt-logs"][3].Evt.Parsed["message"] == "{\"ip\":\"::ffff:192.168.1.114\",\"level\":\"warn\",\"message\":\"User authentication failed for user Gamemaster; invalid password\",\"session\":\"cac2d280a26a838e96e4aaef\",\"status\":401,\"timestamp\":\"2024-06-10 21:12:54\"}"
 results["s01-parse"]["eastcw/foundryvtt-logs"][3].Evt.Parsed["program"] == "foundryvtt"
-results["s01-parse"]["eastcw/foundryvtt-logs"][3].Evt.Parsed["session_id"] == "cac2d280a26a838e96e4aaef"
-results["s01-parse"]["eastcw/foundryvtt-logs"][3].Evt.Parsed["source_ip"] == "::ffff:192.168.1.114"
-results["s01-parse"]["eastcw/foundryvtt-logs"][3].Evt.Parsed["month"] == "06"
-results["s01-parse"]["eastcw/foundryvtt-logs"][3].Evt.Parsed["time"] == "21:12:54"
-results["s01-parse"]["eastcw/foundryvtt-logs"][3].Evt.Parsed["username"] == "Gamemaster"
-results["s01-parse"]["eastcw/foundryvtt-logs"][3].Evt.Parsed["year"] == "2024"
-results["s01-parse"]["eastcw/foundryvtt-logs"][3].Evt.Meta["log_type"] == "foundryvtt_failed_game_auth"
-results["s01-parse"]["eastcw/foundryvtt-logs"][3].Evt.Meta["service"] == "foundryvtt"
-results["s01-parse"]["eastcw/foundryvtt-logs"][3].Evt.Meta["source_ip"] == "::ffff:192.168.1.114"
-results["s01-parse"]["eastcw/foundryvtt-logs"][3].Evt.Meta["source_session_id"] == "cac2d280a26a838e96e4aaef"
-results["s01-parse"]["eastcw/foundryvtt-logs"][3].Evt.Meta["username"] == "Gamemaster"
 results["s01-parse"]["eastcw/foundryvtt-logs"][3].Evt.Meta["datasource_path"] == "foundryvtt-logs.log"
 results["s01-parse"]["eastcw/foundryvtt-logs"][3].Evt.Meta["datasource_type"] == "file"
+results["s01-parse"]["eastcw/foundryvtt-logs"][3].Evt.Meta["level"] == "warn"
+results["s01-parse"]["eastcw/foundryvtt-logs"][3].Evt.Meta["log_type"] == "foundryvtt_failed_game_auth"
+results["s01-parse"]["eastcw/foundryvtt-logs"][3].Evt.Meta["message"] == "User authentication failed for user Gamemaster; invalid password"
+results["s01-parse"]["eastcw/foundryvtt-logs"][3].Evt.Meta["source_ip"] == "::ffff:192.168.1.114"
+results["s01-parse"]["eastcw/foundryvtt-logs"][3].Evt.Meta["status"] == "401.000000"
+results["s01-parse"]["eastcw/foundryvtt-logs"][3].Evt.Unmarshaled["foundryvtt"]["session"] == "cac2d280a26a838e96e4aaef"
+results["s01-parse"]["eastcw/foundryvtt-logs"][3].Evt.Unmarshaled["foundryvtt"]["status"] == 401
+results["s01-parse"]["eastcw/foundryvtt-logs"][3].Evt.Unmarshaled["foundryvtt"]["timestamp"] == "2024-06-10 21:12:54"
+results["s01-parse"]["eastcw/foundryvtt-logs"][3].Evt.Unmarshaled["foundryvtt"]["ip"] == "::ffff:192.168.1.114"
+results["s01-parse"]["eastcw/foundryvtt-logs"][3].Evt.Unmarshaled["foundryvtt"]["level"] == "warn"
+results["s01-parse"]["eastcw/foundryvtt-logs"][3].Evt.Unmarshaled["foundryvtt"]["message"] == "User authentication failed for user Gamemaster; invalid password"
+results["s01-parse"]["eastcw/foundryvtt-logs"][3].Evt.Whitelisted == false
 results["s01-parse"]["eastcw/foundryvtt-logs"][4].Success == true
-results["s01-parse"]["eastcw/foundryvtt-logs"][4].Evt.Parsed["date"] == "2024-06-10"
-results["s01-parse"]["eastcw/foundryvtt-logs"][4].Evt.Parsed["month"] == "06"
-results["s01-parse"]["eastcw/foundryvtt-logs"][4].Evt.Parsed["program"] == "foundryvtt"
-results["s01-parse"]["eastcw/foundryvtt-logs"][4].Evt.Parsed["time"] == "21:12:54"
-results["s01-parse"]["eastcw/foundryvtt-logs"][4].Evt.Parsed["username"] == "Gamemaster"
-results["s01-parse"]["eastcw/foundryvtt-logs"][4].Evt.Parsed["year"] == "2024"
-results["s01-parse"]["eastcw/foundryvtt-logs"][4].Evt.Parsed["day"] == "10"
 results["s01-parse"]["eastcw/foundryvtt-logs"][4].Evt.Parsed["message"] == "{\"ip\":\"::ffff:192.168.1.114\",\"level\":\"warn\",\"message\":\"User authentication failed for user Gamemaster; invalid password\",\"session\":\"cac2d280a26a838e96e4aaef\",\"status\":401,\"timestamp\":\"2024-06-10 21:12:54\"}"
-results["s01-parse"]["eastcw/foundryvtt-logs"][4].Evt.Parsed["session_id"] == "cac2d280a26a838e96e4aaef"
-results["s01-parse"]["eastcw/foundryvtt-logs"][4].Evt.Parsed["source_ip"] == "::ffff:192.168.1.114"
-results["s01-parse"]["eastcw/foundryvtt-logs"][4].Evt.Meta["service"] == "foundryvtt"
-results["s01-parse"]["eastcw/foundryvtt-logs"][4].Evt.Meta["source_ip"] == "::ffff:192.168.1.114"
-results["s01-parse"]["eastcw/foundryvtt-logs"][4].Evt.Meta["source_session_id"] == "cac2d280a26a838e96e4aaef"
-results["s01-parse"]["eastcw/foundryvtt-logs"][4].Evt.Meta["username"] == "Gamemaster"
+results["s01-parse"]["eastcw/foundryvtt-logs"][4].Evt.Parsed["program"] == "foundryvtt"
 results["s01-parse"]["eastcw/foundryvtt-logs"][4].Evt.Meta["datasource_path"] == "foundryvtt-logs.log"
 results["s01-parse"]["eastcw/foundryvtt-logs"][4].Evt.Meta["datasource_type"] == "file"
+results["s01-parse"]["eastcw/foundryvtt-logs"][4].Evt.Meta["level"] == "warn"
 results["s01-parse"]["eastcw/foundryvtt-logs"][4].Evt.Meta["log_type"] == "foundryvtt_failed_game_auth"
+results["s01-parse"]["eastcw/foundryvtt-logs"][4].Evt.Meta["message"] == "User authentication failed for user Gamemaster; invalid password"
+results["s01-parse"]["eastcw/foundryvtt-logs"][4].Evt.Meta["source_ip"] == "::ffff:192.168.1.114"
+results["s01-parse"]["eastcw/foundryvtt-logs"][4].Evt.Meta["status"] == "401.000000"
+results["s01-parse"]["eastcw/foundryvtt-logs"][4].Evt.Unmarshaled["foundryvtt"]["session"] == "cac2d280a26a838e96e4aaef"
+results["s01-parse"]["eastcw/foundryvtt-logs"][4].Evt.Unmarshaled["foundryvtt"]["status"] == 401
+results["s01-parse"]["eastcw/foundryvtt-logs"][4].Evt.Unmarshaled["foundryvtt"]["timestamp"] == "2024-06-10 21:12:54"
+results["s01-parse"]["eastcw/foundryvtt-logs"][4].Evt.Unmarshaled["foundryvtt"]["ip"] == "::ffff:192.168.1.114"
+results["s01-parse"]["eastcw/foundryvtt-logs"][4].Evt.Unmarshaled["foundryvtt"]["level"] == "warn"
+results["s01-parse"]["eastcw/foundryvtt-logs"][4].Evt.Unmarshaled["foundryvtt"]["message"] == "User authentication failed for user Gamemaster; invalid password"
+results["s01-parse"]["eastcw/foundryvtt-logs"][4].Evt.Whitelisted == false
 results["s01-parse"]["eastcw/foundryvtt-logs"][5].Success == true
-results["s01-parse"]["eastcw/foundryvtt-logs"][5].Evt.Parsed["month"] == "06"
-results["s01-parse"]["eastcw/foundryvtt-logs"][5].Evt.Parsed["year"] == "2024"
-results["s01-parse"]["eastcw/foundryvtt-logs"][5].Evt.Parsed["date"] == "2024-06-10"
-results["s01-parse"]["eastcw/foundryvtt-logs"][5].Evt.Parsed["day"] == "10"
 results["s01-parse"]["eastcw/foundryvtt-logs"][5].Evt.Parsed["message"] == "{\"ip\":\"::ffff:192.168.1.114\",\"level\":\"warn\",\"message\":\"Administrator authentication failed for session cac2d280a26a838e96e4aaef; invalid password\",\"status\":403,\"timestamp\":\"2024-06-10 21:12:59\"}"
 results["s01-parse"]["eastcw/foundryvtt-logs"][5].Evt.Parsed["program"] == "foundryvtt"
-results["s01-parse"]["eastcw/foundryvtt-logs"][5].Evt.Parsed["session_id"] == "cac2d280a26a838e96e4aaef"
-results["s01-parse"]["eastcw/foundryvtt-logs"][5].Evt.Parsed["source_ip"] == "::ffff:192.168.1.114"
-results["s01-parse"]["eastcw/foundryvtt-logs"][5].Evt.Parsed["time"] == "21:12:59"
 results["s01-parse"]["eastcw/foundryvtt-logs"][5].Evt.Meta["datasource_path"] == "foundryvtt-logs.log"
 results["s01-parse"]["eastcw/foundryvtt-logs"][5].Evt.Meta["datasource_type"] == "file"
-results["s01-parse"]["eastcw/foundryvtt-logs"][5].Evt.Meta["log_type"] == "foundryvtt_failed_admin_auth"
-results["s01-parse"]["eastcw/foundryvtt-logs"][5].Evt.Meta["service"] == "foundryvtt"
+results["s01-parse"]["eastcw/foundryvtt-logs"][5].Evt.Meta["level"] == "warn"
+results["s01-parse"]["eastcw/foundryvtt-logs"][5].Evt.Meta["log_type"] == "foundryvtt_failed_game_auth"
+results["s01-parse"]["eastcw/foundryvtt-logs"][5].Evt.Meta["message"] == "Administrator authentication failed for session cac2d280a26a838e96e4aaef; invalid password"
 results["s01-parse"]["eastcw/foundryvtt-logs"][5].Evt.Meta["source_ip"] == "::ffff:192.168.1.114"
-results["s01-parse"]["eastcw/foundryvtt-logs"][5].Evt.Meta["source_session_id"] == "cac2d280a26a838e96e4aaef"
+results["s01-parse"]["eastcw/foundryvtt-logs"][5].Evt.Meta["status"] == "403.000000"
+results["s01-parse"]["eastcw/foundryvtt-logs"][5].Evt.Unmarshaled["foundryvtt"]["ip"] == "::ffff:192.168.1.114"
+results["s01-parse"]["eastcw/foundryvtt-logs"][5].Evt.Unmarshaled["foundryvtt"]["level"] == "warn"
+results["s01-parse"]["eastcw/foundryvtt-logs"][5].Evt.Unmarshaled["foundryvtt"]["message"] == "Administrator authentication failed for session cac2d280a26a838e96e4aaef; invalid password"
+results["s01-parse"]["eastcw/foundryvtt-logs"][5].Evt.Unmarshaled["foundryvtt"]["status"] == 403
+results["s01-parse"]["eastcw/foundryvtt-logs"][5].Evt.Unmarshaled["foundryvtt"]["timestamp"] == "2024-06-10 21:12:59"
+results["s01-parse"]["eastcw/foundryvtt-logs"][5].Evt.Whitelisted == false
 results["s01-parse"]["eastcw/foundryvtt-logs"][6].Success == true
-results["s01-parse"]["eastcw/foundryvtt-logs"][6].Evt.Parsed["program"] == "foundryvtt"
-results["s01-parse"]["eastcw/foundryvtt-logs"][6].Evt.Parsed["session_id"] == "cac2d280a26a838e96e4aaef"
-results["s01-parse"]["eastcw/foundryvtt-logs"][6].Evt.Parsed["year"] == "2024"
-results["s01-parse"]["eastcw/foundryvtt-logs"][6].Evt.Parsed["day"] == "10"
 results["s01-parse"]["eastcw/foundryvtt-logs"][6].Evt.Parsed["message"] == "{\"ip\":\"::ffff:192.168.1.114\",\"level\":\"warn\",\"message\":\"Administrator authentication failed for session cac2d280a26a838e96e4aaef; invalid password\",\"status\":403,\"timestamp\":\"2024-06-10 21:13:00\"}"
-results["s01-parse"]["eastcw/foundryvtt-logs"][6].Evt.Parsed["month"] == "06"
-results["s01-parse"]["eastcw/foundryvtt-logs"][6].Evt.Parsed["date"] == "2024-06-10"
-results["s01-parse"]["eastcw/foundryvtt-logs"][6].Evt.Parsed["source_ip"] == "::ffff:192.168.1.114"
-results["s01-parse"]["eastcw/foundryvtt-logs"][6].Evt.Parsed["time"] == "21:13:00"
+results["s01-parse"]["eastcw/foundryvtt-logs"][6].Evt.Parsed["program"] == "foundryvtt"
 results["s01-parse"]["eastcw/foundryvtt-logs"][6].Evt.Meta["datasource_path"] == "foundryvtt-logs.log"
 results["s01-parse"]["eastcw/foundryvtt-logs"][6].Evt.Meta["datasource_type"] == "file"
-results["s01-parse"]["eastcw/foundryvtt-logs"][6].Evt.Meta["log_type"] == "foundryvtt_failed_admin_auth"
-results["s01-parse"]["eastcw/foundryvtt-logs"][6].Evt.Meta["service"] == "foundryvtt"
+results["s01-parse"]["eastcw/foundryvtt-logs"][6].Evt.Meta["level"] == "warn"
+results["s01-parse"]["eastcw/foundryvtt-logs"][6].Evt.Meta["log_type"] == "foundryvtt_failed_game_auth"
+results["s01-parse"]["eastcw/foundryvtt-logs"][6].Evt.Meta["message"] == "Administrator authentication failed for session cac2d280a26a838e96e4aaef; invalid password"
 results["s01-parse"]["eastcw/foundryvtt-logs"][6].Evt.Meta["source_ip"] == "::ffff:192.168.1.114"
-results["s01-parse"]["eastcw/foundryvtt-logs"][6].Evt.Meta["source_session_id"] == "cac2d280a26a838e96e4aaef"
+results["s01-parse"]["eastcw/foundryvtt-logs"][6].Evt.Meta["status"] == "403.000000"
+results["s01-parse"]["eastcw/foundryvtt-logs"][6].Evt.Unmarshaled["foundryvtt"]["ip"] == "::ffff:192.168.1.114"
+results["s01-parse"]["eastcw/foundryvtt-logs"][6].Evt.Unmarshaled["foundryvtt"]["level"] == "warn"
+results["s01-parse"]["eastcw/foundryvtt-logs"][6].Evt.Unmarshaled["foundryvtt"]["message"] == "Administrator authentication failed for session cac2d280a26a838e96e4aaef; invalid password"
+results["s01-parse"]["eastcw/foundryvtt-logs"][6].Evt.Unmarshaled["foundryvtt"]["status"] == 403
+results["s01-parse"]["eastcw/foundryvtt-logs"][6].Evt.Unmarshaled["foundryvtt"]["timestamp"] == "2024-06-10 21:13:00"
+results["s01-parse"]["eastcw/foundryvtt-logs"][6].Evt.Whitelisted == false
 results["s01-parse"]["eastcw/foundryvtt-logs"][7].Success == true
-results["s01-parse"]["eastcw/foundryvtt-logs"][7].Evt.Parsed["date"] == "2024-06-10"
 results["s01-parse"]["eastcw/foundryvtt-logs"][7].Evt.Parsed["message"] == "{\"ip\":\"::ffff:192.168.1.114\",\"level\":\"warn\",\"message\":\"Administrator authentication failed for session cac2d280a26a838e96e4aaef; invalid password\",\"status\":403,\"timestamp\":\"2024-06-10 21:13:00\"}"
-results["s01-parse"]["eastcw/foundryvtt-logs"][7].Evt.Parsed["month"] == "06"
-results["s01-parse"]["eastcw/foundryvtt-logs"][7].Evt.Parsed["source_ip"] == "::ffff:192.168.1.114"
-results["s01-parse"]["eastcw/foundryvtt-logs"][7].Evt.Parsed["time"] == "21:13:00"
-results["s01-parse"]["eastcw/foundryvtt-logs"][7].Evt.Parsed["year"] == "2024"
-results["s01-parse"]["eastcw/foundryvtt-logs"][7].Evt.Parsed["day"] == "10"
 results["s01-parse"]["eastcw/foundryvtt-logs"][7].Evt.Parsed["program"] == "foundryvtt"
-results["s01-parse"]["eastcw/foundryvtt-logs"][7].Evt.Parsed["session_id"] == "cac2d280a26a838e96e4aaef"
 results["s01-parse"]["eastcw/foundryvtt-logs"][7].Evt.Meta["datasource_path"] == "foundryvtt-logs.log"
 results["s01-parse"]["eastcw/foundryvtt-logs"][7].Evt.Meta["datasource_type"] == "file"
-results["s01-parse"]["eastcw/foundryvtt-logs"][7].Evt.Meta["log_type"] == "foundryvtt_failed_admin_auth"
-results["s01-parse"]["eastcw/foundryvtt-logs"][7].Evt.Meta["service"] == "foundryvtt"
+results["s01-parse"]["eastcw/foundryvtt-logs"][7].Evt.Meta["level"] == "warn"
+results["s01-parse"]["eastcw/foundryvtt-logs"][7].Evt.Meta["log_type"] == "foundryvtt_failed_game_auth"
+results["s01-parse"]["eastcw/foundryvtt-logs"][7].Evt.Meta["message"] == "Administrator authentication failed for session cac2d280a26a838e96e4aaef; invalid password"
 results["s01-parse"]["eastcw/foundryvtt-logs"][7].Evt.Meta["source_ip"] == "::ffff:192.168.1.114"
-results["s01-parse"]["eastcw/foundryvtt-logs"][7].Evt.Meta["source_session_id"] == "cac2d280a26a838e96e4aaef"
+results["s01-parse"]["eastcw/foundryvtt-logs"][7].Evt.Meta["status"] == "403.000000"
+results["s01-parse"]["eastcw/foundryvtt-logs"][7].Evt.Unmarshaled["foundryvtt"]["timestamp"] == "2024-06-10 21:13:00"
+results["s01-parse"]["eastcw/foundryvtt-logs"][7].Evt.Unmarshaled["foundryvtt"]["ip"] == "::ffff:192.168.1.114"
+results["s01-parse"]["eastcw/foundryvtt-logs"][7].Evt.Unmarshaled["foundryvtt"]["level"] == "warn"
+results["s01-parse"]["eastcw/foundryvtt-logs"][7].Evt.Unmarshaled["foundryvtt"]["message"] == "Administrator authentication failed for session cac2d280a26a838e96e4aaef; invalid password"
+results["s01-parse"]["eastcw/foundryvtt-logs"][7].Evt.Unmarshaled["foundryvtt"]["status"] == 403
+results["s01-parse"]["eastcw/foundryvtt-logs"][7].Evt.Whitelisted == false
 len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 8
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "{\"ip\":\"192.168.1.165\",\"level\":\"warn\",\"message\":\"Administrator authentication failed for session 51d183ff8c3b547a6a1883df; invalid password\",\"status\":403,\"timestamp\":\"2024-06-10 10:29:21\"}"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["month"] == "06"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["session_id"] == "51d183ff8c3b547a6a1883df"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["time"] == "10:29:21"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["year"] == "2024"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["date"] == "2024-06-10"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["day"] == "10"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "foundryvtt"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["source_ip"] == "192.168.1.165"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "192.168.1.165"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_session_id"] == "51d183ff8c3b547a6a1883df"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2024-06-10T10:29:21Z"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"] == "foundryvtt-logs.log"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "foundryvtt_failed_admin_auth"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "foundryvtt"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["level"] == "warn"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "foundryvtt_failed_game_auth"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["message"] == "Administrator authentication failed for session 51d183ff8c3b547a6a1883df; invalid password"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "192.168.1.165"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["status"] == "403.000000"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2024-06-10T10:29:21Z"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2024-06-10T10:29:21Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["foundryvtt"]["ip"] == "192.168.1.165"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["foundryvtt"]["level"] == "warn"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["foundryvtt"]["message"] == "Administrator authentication failed for session 51d183ff8c3b547a6a1883df; invalid password"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["foundryvtt"]["status"] == 403
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["foundryvtt"]["timestamp"] == "2024-06-10 10:29:21"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Whitelisted == false
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message"] == "{\"ip\":\"192.168.1.165\",\"level\":\"warn\",\"message\":\"User authentication failed for user Gamemaster; invalid password\",\"session\":\"51d183ff8c3b547a6a1883df\",\"status\":401,\"timestamp\":\"2024-06-10 10:29:56\"}"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["month"] == "06"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] == "foundryvtt"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["session_id"] == "51d183ff8c3b547a6a1883df"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["source_ip"] == "192.168.1.165"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["username"] == "Gamemaster"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["year"] == "2024"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["day"] == "10"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["time"] == "10:29:56"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["date"] == "2024-06-10"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"] == "foundryvtt-logs.log"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["level"] == "warn"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "foundryvtt_failed_game_auth"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "foundryvtt"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["message"] == "User authentication failed for user Gamemaster; invalid password"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "192.168.1.165"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_session_id"] == "51d183ff8c3b547a6a1883df"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["status"] == "401.000000"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2024-06-10T10:29:56Z"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["username"] == "Gamemaster"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"] == "foundryvtt-logs.log"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"] == "2024-06-10T10:29:56Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["foundryvtt"]["level"] == "warn"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["foundryvtt"]["message"] == "User authentication failed for user Gamemaster; invalid password"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["foundryvtt"]["session"] == "51d183ff8c3b547a6a1883df"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["foundryvtt"]["status"] == 401
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["foundryvtt"]["timestamp"] == "2024-06-10 10:29:56"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["foundryvtt"]["ip"] == "192.168.1.165"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Whitelisted == false
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Success == true
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["month"] == "06"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["source_ip"] == "::ffff:192.168.1.114"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["date"] == "2024-06-10"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["day"] == "10"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["message"] == "{\"ip\":\"::ffff:192.168.1.114\",\"level\":\"warn\",\"message\":\"User authentication failed for user Gamemaster; invalid password\",\"session\":\"cac2d280a26a838e96e4aaef\",\"status\":401,\"timestamp\":\"2024-06-10 21:12:53\"}"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["username"] == "Gamemaster"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["year"] == "2024"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["program"] == "foundryvtt"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["session_id"] == "cac2d280a26a838e96e4aaef"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["time"] == "21:12:53"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"] == "foundryvtt-logs.log"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_type"] == "file"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["level"] == "warn"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["log_type"] == "foundryvtt_failed_game_auth"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["service"] == "foundryvtt"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["message"] == "User authentication failed for user Gamemaster; invalid password"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_ip"] == "::ffff:192.168.1.114"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_session_id"] == "cac2d280a26a838e96e4aaef"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["status"] == "401.000000"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["timestamp"] == "2024-06-10T21:12:53Z"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["username"] == "Gamemaster"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"] == "foundryvtt-logs.log"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_type"] == "file"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Enriched["MarshaledTime"] == "2024-06-10T21:12:53Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["foundryvtt"]["ip"] == "::ffff:192.168.1.114"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["foundryvtt"]["level"] == "warn"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["foundryvtt"]["message"] == "User authentication failed for user Gamemaster; invalid password"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["foundryvtt"]["session"] == "cac2d280a26a838e96e4aaef"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["foundryvtt"]["status"] == 401
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["foundryvtt"]["timestamp"] == "2024-06-10 21:12:53"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Whitelisted == false
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Success == true
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["session_id"] == "cac2d280a26a838e96e4aaef"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["source_ip"] == "::ffff:192.168.1.114"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["time"] == "21:12:54"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["date"] == "2024-06-10"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["day"] == "10"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["program"] == "foundryvtt"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["username"] == "Gamemaster"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["year"] == "2024"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["message"] == "{\"ip\":\"::ffff:192.168.1.114\",\"level\":\"warn\",\"message\":\"User authentication failed for user Gamemaster; invalid password\",\"session\":\"cac2d280a26a838e96e4aaef\",\"status\":401,\"timestamp\":\"2024-06-10 21:12:54\"}"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["month"] == "06"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["program"] == "foundryvtt"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_path"] == "foundryvtt-logs.log"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_type"] == "file"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["level"] == "warn"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["log_type"] == "foundryvtt_failed_game_auth"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["service"] == "foundryvtt"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["message"] == "User authentication failed for user Gamemaster; invalid password"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["source_ip"] == "::ffff:192.168.1.114"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["source_session_id"] == "cac2d280a26a838e96e4aaef"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["status"] == "401.000000"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["timestamp"] == "2024-06-10T21:12:54Z"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["username"] == "Gamemaster"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Enriched["MarshaledTime"] == "2024-06-10T21:12:54Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Unmarshaled["foundryvtt"]["ip"] == "::ffff:192.168.1.114"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Unmarshaled["foundryvtt"]["level"] == "warn"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Unmarshaled["foundryvtt"]["message"] == "User authentication failed for user Gamemaster; invalid password"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Unmarshaled["foundryvtt"]["session"] == "cac2d280a26a838e96e4aaef"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Unmarshaled["foundryvtt"]["status"] == 401
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Unmarshaled["foundryvtt"]["timestamp"] == "2024-06-10 21:12:54"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Whitelisted == false
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Success == true
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["username"] == "Gamemaster"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["date"] == "2024-06-10"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["message"] == "{\"ip\":\"::ffff:192.168.1.114\",\"level\":\"warn\",\"message\":\"User authentication failed for user Gamemaster; invalid password\",\"session\":\"cac2d280a26a838e96e4aaef\",\"status\":401,\"timestamp\":\"2024-06-10 21:12:54\"}"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["month"] == "06"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["program"] == "foundryvtt"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["session_id"] == "cac2d280a26a838e96e4aaef"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["source_ip"] == "::ffff:192.168.1.114"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["time"] == "21:12:54"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["year"] == "2024"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["day"] == "10"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["source_ip"] == "::ffff:192.168.1.114"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["source_session_id"] == "cac2d280a26a838e96e4aaef"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["timestamp"] == "2024-06-10T21:12:54Z"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["username"] == "Gamemaster"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_path"] == "foundryvtt-logs.log"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_type"] == "file"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["level"] == "warn"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["log_type"] == "foundryvtt_failed_game_auth"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["service"] == "foundryvtt"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["message"] == "User authentication failed for user Gamemaster; invalid password"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["source_ip"] == "::ffff:192.168.1.114"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["status"] == "401.000000"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["timestamp"] == "2024-06-10T21:12:54Z"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Enriched["MarshaledTime"] == "2024-06-10T21:12:54Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Unmarshaled["foundryvtt"]["timestamp"] == "2024-06-10 21:12:54"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Unmarshaled["foundryvtt"]["ip"] == "::ffff:192.168.1.114"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Unmarshaled["foundryvtt"]["level"] == "warn"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Unmarshaled["foundryvtt"]["message"] == "User authentication failed for user Gamemaster; invalid password"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Unmarshaled["foundryvtt"]["session"] == "cac2d280a26a838e96e4aaef"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Unmarshaled["foundryvtt"]["status"] == 401
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Whitelisted == false
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Success == true
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["month"] == "06"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["source_ip"] == "::ffff:192.168.1.114"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["year"] == "2024"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["date"] == "2024-06-10"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["day"] == "10"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["message"] == "{\"ip\":\"::ffff:192.168.1.114\",\"level\":\"warn\",\"message\":\"Administrator authentication failed for session cac2d280a26a838e96e4aaef; invalid password\",\"status\":403,\"timestamp\":\"2024-06-10 21:12:59\"}"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["program"] == "foundryvtt"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["session_id"] == "cac2d280a26a838e96e4aaef"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["time"] == "21:12:59"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["timestamp"] == "2024-06-10T21:12:59Z"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_path"] == "foundryvtt-logs.log"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_type"] == "file"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["log_type"] == "foundryvtt_failed_admin_auth"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["service"] == "foundryvtt"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["level"] == "warn"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["log_type"] == "foundryvtt_failed_game_auth"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["message"] == "Administrator authentication failed for session cac2d280a26a838e96e4aaef; invalid password"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["source_ip"] == "::ffff:192.168.1.114"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["source_session_id"] == "cac2d280a26a838e96e4aaef"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["status"] == "403.000000"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["timestamp"] == "2024-06-10T21:12:59Z"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Enriched["MarshaledTime"] == "2024-06-10T21:12:59Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Unmarshaled["foundryvtt"]["message"] == "Administrator authentication failed for session cac2d280a26a838e96e4aaef; invalid password"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Unmarshaled["foundryvtt"]["status"] == 403
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Unmarshaled["foundryvtt"]["timestamp"] == "2024-06-10 21:12:59"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Unmarshaled["foundryvtt"]["ip"] == "::ffff:192.168.1.114"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Unmarshaled["foundryvtt"]["level"] == "warn"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Whitelisted == false
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Success == true
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["date"] == "2024-06-10"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["message"] == "{\"ip\":\"::ffff:192.168.1.114\",\"level\":\"warn\",\"message\":\"Administrator authentication failed for session cac2d280a26a838e96e4aaef; invalid password\",\"status\":403,\"timestamp\":\"2024-06-10 21:13:00\"}"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["program"] == "foundryvtt"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["source_ip"] == "::ffff:192.168.1.114"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["year"] == "2024"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["day"] == "10"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["month"] == "06"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["session_id"] == "cac2d280a26a838e96e4aaef"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["time"] == "21:13:00"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["datasource_path"] == "foundryvtt-logs.log"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["datasource_type"] == "file"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["log_type"] == "foundryvtt_failed_admin_auth"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["service"] == "foundryvtt"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["level"] == "warn"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["log_type"] == "foundryvtt_failed_game_auth"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["message"] == "Administrator authentication failed for session cac2d280a26a838e96e4aaef; invalid password"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["source_ip"] == "::ffff:192.168.1.114"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["source_session_id"] == "cac2d280a26a838e96e4aaef"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["status"] == "403.000000"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["timestamp"] == "2024-06-10T21:13:00Z"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Enriched["MarshaledTime"] == "2024-06-10T21:13:00Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Unmarshaled["foundryvtt"]["level"] == "warn"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Unmarshaled["foundryvtt"]["message"] == "Administrator authentication failed for session cac2d280a26a838e96e4aaef; invalid password"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Unmarshaled["foundryvtt"]["status"] == 403
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Unmarshaled["foundryvtt"]["timestamp"] == "2024-06-10 21:13:00"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Unmarshaled["foundryvtt"]["ip"] == "::ffff:192.168.1.114"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Whitelisted == false
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Success == true
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["year"] == "2024"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["source_ip"] == "::ffff:192.168.1.114"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["time"] == "21:13:00"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["date"] == "2024-06-10"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["day"] == "10"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["message"] == "{\"ip\":\"::ffff:192.168.1.114\",\"level\":\"warn\",\"message\":\"Administrator authentication failed for session cac2d280a26a838e96e4aaef; invalid password\",\"status\":403,\"timestamp\":\"2024-06-10 21:13:00\"}"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["month"] == "06"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["program"] == "foundryvtt"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["session_id"] == "cac2d280a26a838e96e4aaef"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["service"] == "foundryvtt"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["source_ip"] == "::ffff:192.168.1.114"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["source_session_id"] == "cac2d280a26a838e96e4aaef"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["timestamp"] == "2024-06-10T21:13:00Z"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["datasource_path"] == "foundryvtt-logs.log"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["datasource_type"] == "file"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["log_type"] == "foundryvtt_failed_admin_auth"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["level"] == "warn"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["log_type"] == "foundryvtt_failed_game_auth"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["message"] == "Administrator authentication failed for session cac2d280a26a838e96e4aaef; invalid password"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["source_ip"] == "::ffff:192.168.1.114"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["status"] == "403.000000"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["timestamp"] == "2024-06-10T21:13:00Z"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Enriched["MarshaledTime"] == "2024-06-10T21:13:00Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Unmarshaled["foundryvtt"]["ip"] == "::ffff:192.168.1.114"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Unmarshaled["foundryvtt"]["level"] == "warn"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Unmarshaled["foundryvtt"]["message"] == "Administrator authentication failed for session cac2d280a26a838e96e4aaef; invalid password"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Unmarshaled["foundryvtt"]["status"] == 403
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Unmarshaled["foundryvtt"]["timestamp"] == "2024-06-10 21:13:00"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Whitelisted == false
 len(results["success"][""]) == 0
\ No newline at end of file
diff --git a/collections/eastcw/foundryvtt.md b/collections/eastcw/foundryvtt.md
index 3c96e876339..2dc36cdf239 100644
--- a/collections/eastcw/foundryvtt.md
+++ b/collections/eastcw/foundryvtt.md
@@ -3,6 +3,20 @@ A collection to defend [Foundry VTT](https://foundryvtt.com/) server instances a
 - Foundry VTT parser
 - Foundry VTT brute force detection
 
+## Whitelist
+
+You may also want to use a whitelist to prevent Foundry triggering http-crawl-non_statics. Mine looks like this and prevents the issue for my foundry subdomain.
+
+```yaml
+name: eastcw/foundryvtt-whitelist
+description: "Whitelist events from Foundry VTT"
+filter: "evt.Meta.log_type in ['http_access-log', 'http_error-log']"
+whitelist:
+  reason: "Foundryvtt Whitelist"
+  expression:
+    - evt.Meta.http_verb in ['GET', 'HEAD'] && evt.Meta.target_fqdn == 'foundry.example.com' && evt.Parsed.static_ressource == 'false'
+```
+
 ## Acquisition Templates
 
 See example acquisitions for this collection below. Foundry V12 changed the way logs are generated and now creates a new file daily.
diff --git a/parsers/s01-parse/eastcw/foundryvtt-logs.yaml b/parsers/s01-parse/eastcw/foundryvtt-logs.yaml
index 2705f9b28fd..f809630410e 100644
--- a/parsers/s01-parse/eastcw/foundryvtt-logs.yaml
+++ b/parsers/s01-parse/eastcw/foundryvtt-logs.yaml
@@ -1,33 +1,41 @@
 name: eastcw/foundryvtt-logs
 description: "Parse Foundry VTT logs"
-filter: "evt.Parsed.program == 'foundryvtt'"
-debug: true
+filter: "evt.Parsed.program == 'foundryvtt' && UnmarshalJSON(evt.Line.Raw, evt.Unmarshaled, 'foundryvtt') in ['', nil]"
+debug: false
 onsuccess: next_stage
 pattern_syntax:
   DATE_YMD: "%{YEAR:year}-%{MONTHNUM:month}-%{MONTHDAY:day}"
 
-nodes:
-  - grok:
-      pattern: '\{"ip":"%{IP:source_ip}","level":"warn","message":"Administrator authentication failed for session %{BASE16NUM:session_id}; invalid password","status":403,"timestamp":"%{DATE_YMD:date} %{TIME:time}"}'
-      apply_on: message
-      statics:
-        - meta: log_type
-          value: foundryvtt_failed_admin_auth
-  - grok:
-      pattern: '\{"ip":"%{IP:source_ip}","level":"warn","message":"User authentication failed for user %{USERNAME:username}; invalid password","session":"%{BASE16NUM:session_id}","status":401,"timestamp":"%{DATE_YMD:date} %{TIME:time}"}'
-      apply_on: message
-      statics:
-        - meta: log_type
-          value: foundryvtt_failed_game_auth
-        - meta: username
-          expression: evt.Parsed.username
-
+grok:
+  pattern: "%{DATE_YMD.date} %{TIME.time}"
+  expression: evt.Unmarshaled.foundryvtt.timestamp
 statics:
-  - meta: service
-    value: foundryvtt
   - meta: source_ip
-    expression: evt.Parsed.source_ip
-  - meta: source_session_id
-    expression: evt.Parsed.session_id
+    expression: evt.Unmarshaled.foundryvtt.ip
+  - meta: level
+    expression: evt.Unmarshaled.foundryvtt.level
+  - meta: message
+    expression: evt.Unmarshaled.foundryvtt.message
+  - meta: status
+    expression: evt.Unmarshaled.foundryvtt.status
   - target: evt.StrTime
-    expression: evt.Parsed.date + ' ' + evt.Parsed.time
+    expression: evt.Unmarshaled.foundryvtt.timestamp
+nodes:
+  - nodes:
+      - grok:
+          pattern: "User authentication failed for user %{USERNAME:username}; invalid password"
+          expression: evt.Meta.message
+      - statics:
+          - meta: log_type
+            value: foundryvtt_failed_game_auth
+          - meta: username
+            expression: evt.Parsed.username
+  - nodes:
+      - grok:
+          pattern: "Administrator authentication failed for session %{BASE16NUM:session_id}; invalid password"
+          expression: evt.Meta.message
+      - statics:
+          - meta: log_type
+            value: foundryvtt_failed_admin_auth
+          - meta: session_id
+            expression: evt.Parsed.session_id
diff --git a/scenarios/eastcw/foundryvtt-bf.yaml b/scenarios/eastcw/foundryvtt-bf.yaml
index 5a12df8be37..00ff70003d8 100644
--- a/scenarios/eastcw/foundryvtt-bf.yaml
+++ b/scenarios/eastcw/foundryvtt-bf.yaml
@@ -1,9 +1,9 @@
 type: leaky
-name: eastcw/foundryvtt_bf
+name: eastcw/foundryvtt_fast_bf
 description: "Detect Foundry VTT bruteforce"
 
 filter: "evt.Meta.log_type in ['foundryvtt_failed_admin_auth', 'foundryvtt_failed_game_auth']"
-leakspeed: 30s
+leakspeed: 10s
 capacity: 5
 groupby: evt.Meta.source_ip
 blackhole: 5m
@@ -16,3 +16,23 @@ labels:
   spoofable: 0
   confidence: 3
   remediation: true
+
+---
+type: leaky
+name: eastcw/foundryvtt_slow_bf
+description: "Detect Foundry VTT bruteforce"
+
+filter: "evt.Meta.log_type in ['foundryvtt_failed_admin_auth', 'foundryvtt_failed_game_auth']"
+leakspeed: 90s
+capacity: 10
+groupby: evt.Meta.source_ip
+blackhole: 5m
+reprocess: true
+labels:
+  service: foundryvtt
+  behavior: "generic:bruteforce"
+  classification: attack.T1110
+  label: "Foundry VTT Bruteforce"
+  spoofable: 0
+  confidence: 3
+  remediation: true

From 5f5312507723109c7a8761b116f8a7c3e9c1e9c6 Mon Sep 17 00:00:00 2001
From: Cameron East <25549143+eastcw@users.noreply.github.com>
Date: Mon, 24 Jun 2024 14:28:39 +0100
Subject: [PATCH 3/3] added back missing service meta

---
 parsers/s01-parse/eastcw/foundryvtt-logs.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/parsers/s01-parse/eastcw/foundryvtt-logs.yaml b/parsers/s01-parse/eastcw/foundryvtt-logs.yaml
index f809630410e..5cff728f03f 100644
--- a/parsers/s01-parse/eastcw/foundryvtt-logs.yaml
+++ b/parsers/s01-parse/eastcw/foundryvtt-logs.yaml
@@ -10,6 +10,8 @@ grok:
   pattern: "%{DATE_YMD.date} %{TIME.time}"
   expression: evt.Unmarshaled.foundryvtt.timestamp
 statics:
+  - meta: service
+    value: foundryvtt
   - meta: source_ip
     expression: evt.Unmarshaled.foundryvtt.ip
   - meta: level