From 927bd91ce0c80d8039014dadd794e56892aced77 Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Wed, 9 Feb 2022 19:56:58 +0100 Subject: [PATCH 1/7] Remove event.ingested and re-generate logs This removes event.ingested from the pipeline (unnecessary) and re-generates the log so that keys are now sorted, for easier comparison of changes. --- .../test-azuread-events.json-expected.json | 27168 ++++++++-------- ...zuread-sts-logon-events.json-expected.json | 11433 +++---- .../_dev/test/pipeline/test-common-config.yml | 2 - ...ata-insights-api-events.json-expected.json | 519 +- ...est-dlp-exchange-events.json-expected.json | 994 +- ...t-dlp-sharepoint-events.json-expected.json | 869 +- ...t-exchange-admin-events.json-expected.json | 9666 +++--- ...st-exchange-item-events.json-expected.json | 959 +- .../test-ip-formats-events.json-expected.json | 637 +- .../test-ms-teams-events.json-expected.json | 316 +- .../test-parameter-string.json-expected.json | 222 +- ...-sec-comp-alerts-events.json-expected.json | 249 +- .../test-sharepoint-events.json-expected.json | 484 +- ...sharepointfileop-events.json-expected.json | 1495 +- ...st-sp-sharing-op-events.json-expected.json | 1092 +- .../test-yammer-events.json-expected.json | 214 +- .../elasticsearch/ingest_pipeline/default.yml | 3 - 17 files changed, 26849 insertions(+), 29473 deletions(-) diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread-events.json-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread-events.json-expected.json index e9075278450..b201bc27b33 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread-events.json-expected.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread-events.json-expected.json @@ -1,7077 +1,6649 @@ { "expected": [ { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-09T15:33:26.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Update application.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "8f6eb24b-6e61-4ee2-a376-31368c300613", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:33:26\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"08d8bb01-c269-4a92-9929-a1a89b729512\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"528b5206-f6de-4c1f-86db-5f750a9960c9\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:33:26.1037807Z\"},{\"Name\":\"env_epoch\",\"Value\":\"31CXC\"},{\"Name\":\"env_seqNum\",\"Value\":\"38438635\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1_00000000-0000-0000-0000-000000000000_ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR556\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"8f6eb24b-6e61-4ee2-a376-31368c300613\",\"ModifiedProperties\":[{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"594c1fb6-4f81-4475-ae41-0c394909246c\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "Not Available", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-09T15:33:26", "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "siem", - "env_appId": "restdirectoryservice", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-09T15:33:26.1037807Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "08d8bb01-c269-4a92-9929-a1a89b729512", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "auditEventCategory": "ApplicationManagement", "correlationId": "528b5206-f6de-4c1f-86db-5f750a9960c9", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", "env_cloud_roleInstance": "AM5RRDSR556", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", "env_cv": "##ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1_00000000-0000-0000-0000-000000000000_ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1", - "resultType": "Success", - "actorUPN": "asr@testsiem.onmicrosoft.com", - "auditEventCategory": "ApplicationManagement", + "env_epoch": "31CXC", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", "env_popSample": "0", "env_seqNum": "38438635", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", + "env_time": "2020-02-09T15:33:26.1037807Z", "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"RequiredResourceAccess\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", "extendedAuditEventCategory": "Application", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "env_epoch": "31CXC", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"RequiredResourceAccess\"]", + "targetName": "siem", + "targetObjectId": "08d8bb01-c269-4a92-9929-a1a89b729512", + "teamName": "MSODS.", + "version": "2" }, - "Target": [ - { - "Type": 2, - "ID": "Application_08d8bb01-c269-4a92-9929-a1a89b729512" - }, - { - "Type": 2, - "ID": "08d8bb01-c269-4a92-9929-a1a89b729512" - }, - { - "Type": 2, - "ID": "Application" - }, - { - "Type": 1, - "ID": "siem" - } - ], - "RecordType": "8", "ModifiedProperties": { "Included_Updated_Properties": { - "OldValue": "", - "NewValue": "RequiredResourceAccess" + "NewValue": "RequiredResourceAccess", + "OldValue": "" }, "RequiredResourceAccess": { - "OldValue": "[\r\n {\r\n \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n },\r\n {\r\n \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"594c1fb6-4f81-4475-ae41-0c394909246c\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n },\r\n {\r\n \"EntitlementId\": \"4807a72c-ad38-4250-94c9-4eabfe26cd55\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n },\r\n {\r\n \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]", - "NewValue": "[\r\n {\r\n \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"4807a72c-ad38-4250-94c9-4eabfe26cd55\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n },\r\n {\r\n \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n },\r\n {\r\n \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]" + "NewValue": "[\r\n {\r\n \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"4807a72c-ad38-4250-94c9-4eabfe26cd55\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n },\r\n {\r\n \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n },\r\n {\r\n \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]", + "OldValue": "[\r\n {\r\n \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n },\r\n {\r\n \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"594c1fb6-4f81-4475-ae41-0c394909246c\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n },\r\n {\r\n \"EntitlementId\": \"4807a72c-ad38-4250-94c9-4eabfe26cd55\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n },\r\n {\r\n \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]" } }, - "Version": "1", + "ObjectId": "Not Available", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ - { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" - }, - { - "Type": 3, - "ID": "1003200096971F55" - }, + "Target": [ { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "Application_08d8bb01-c269-4a92-9929-a1a89b729512", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "08d8bb01-c269-4a92-9929-a1a89b729512", + "Type": 2 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "Application", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "siem", + "Type": 1 } ], - "CreationTime": "2020-02-09T15:33:26", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-09T15:33:26.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:47:58.413569913Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:33:26\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"08d8bb01-c269-4a92-9929-a1a89b729512\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"528b5206-f6de-4c1f-86db-5f750a9960c9\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:33:26.1037807Z\"},{\"Name\":\"env_epoch\",\"Value\":\"31CXC\"},{\"Name\":\"env_seqNum\",\"Value\":\"38438635\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1_00000000-0000-0000-0000-000000000000_ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR556\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"8f6eb24b-6e61-4ee2-a376-31368c300613\",\"ModifiedProperties\":[{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"594c1fb6-4f81-4475-ae41-0c394909246c\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Update application.", - "id": "8f6eb24b-6e61-4ee2-a376-31368c300613", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "Not Available" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-09T15:33:26.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Update application.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "8f6eb24b-6e61-4ee2-a376-31368c300613", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:33:26\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"08d8bb01-c269-4a92-9929-a1a89b729512\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"528b5206-f6de-4c1f-86db-5f750a9960c9\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:33:26.1037807Z\"},{\"Name\":\"env_epoch\",\"Value\":\"31CXC\"},{\"Name\":\"env_seqNum\",\"Value\":\"38438635\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1_00000000-0000-0000-0000-000000000000_ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR556\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"8f6eb24b-6e61-4ee2-a376-31368c300613\",\"ModifiedProperties\":[{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"594c1fb6-4f81-4475-ae41-0c394909246c\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "Not Available", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "67.43.156.15", - "ExtendedProperties": { - "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "siem", - "env_appId": "restdirectoryservice", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", - "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-09T15:33:26.1037807Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "08d8bb01-c269-4a92-9929-a1a89b729512", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", - "correlationId": "528b5206-f6de-4c1f-86db-5f750a9960c9", - "env_cloud_roleInstance": "AM5RRDSR556", - "env_cv": "##ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1_00000000-0000-0000-0000-000000000000_ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1", - "resultType": "Success", - "actorUPN": "asr@testsiem.onmicrosoft.com", - "auditEventCategory": "ApplicationManagement", - "env_popSample": "0", - "env_seqNum": "38438635", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", - "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"RequiredResourceAccess\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "extendedAuditEventCategory": "Application", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "env_epoch": "31CXC", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" - }, - "Target": [ - { - "Type": 2, - "ID": "Application_08d8bb01-c269-4a92-9929-a1a89b729512" - }, - { - "Type": 2, - "ID": "08d8bb01-c269-4a92-9929-a1a89b729512" - }, + "Actor": [ { - "Type": 2, - "ID": "Application" + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 }, { - "Type": 1, - "ID": "siem" - } - ], - "RecordType": "8", - "ModifiedProperties": { - "Included_Updated_Properties": { - "OldValue": "", - "NewValue": "RequiredResourceAccess" + "ID": "1003200096971F55", + "Type": 3 }, - "RequiredResourceAccess": { - "OldValue": "[\r\n {\r\n \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n },\r\n {\r\n \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"594c1fb6-4f81-4475-ae41-0c394909246c\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n },\r\n {\r\n \"EntitlementId\": \"4807a72c-ad38-4250-94c9-4eabfe26cd55\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n },\r\n {\r\n \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]", - "NewValue": "[\r\n {\r\n \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"4807a72c-ad38-4250-94c9-4eabfe26cd55\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n },\r\n {\r\n \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n },\r\n {\r\n \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]" - } - }, - "Version": "1", - "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "Type": 3, - "ID": "1003200096971F55" + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" - }, + "ID": "User", + "Type": 2 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-09T15:33:26", + "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "actorObjectClass": "User", + "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "auditEventCategory": "ApplicationManagement", + "correlationId": "528b5206-f6de-4c1f-86db-5f750a9960c9", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", + "env_cloud_roleInstance": "AM5RRDSR556", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", + "env_cv": "##ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1_00000000-0000-0000-0000-000000000000_ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1", + "env_epoch": "31CXC", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", + "env_popSample": "0", + "env_seqNum": "38438635", + "env_time": "2020-02-09T15:33:26.1037807Z", + "env_ver": "2.1", + "extendedAuditEventCategory": "Application", + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"RequiredResourceAccess\"]", + "targetName": "siem", + "targetObjectId": "08d8bb01-c269-4a92-9929-a1a89b729512", + "teamName": "MSODS.", + "version": "2" + }, + "ModifiedProperties": { + "Included_Updated_Properties": { + "NewValue": "RequiredResourceAccess", + "OldValue": "" + }, + "RequiredResourceAccess": { + "NewValue": "[\r\n {\r\n \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"4807a72c-ad38-4250-94c9-4eabfe26cd55\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n },\r\n {\r\n \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n },\r\n {\r\n \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]", + "OldValue": "[\r\n {\r\n \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n },\r\n {\r\n \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"594c1fb6-4f81-4475-ae41-0c394909246c\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n },\r\n {\r\n \"EntitlementId\": \"4807a72c-ad38-4250-94c9-4eabfe26cd55\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n },\r\n {\r\n \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]" + } + }, + "ObjectId": "Not Available", + "RecordType": "8", + "ResultStatus": "Success", + "SupportTicketId": "", + "Target": [ + { + "ID": "Application_08d8bb01-c269-4a92-9929-a1a89b729512", + "Type": 2 + }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "08d8bb01-c269-4a92-9929-a1a89b729512", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "Application", + "Type": 2 + }, + { + "ID": "siem", + "Type": 1 } ], - "CreationTime": "2020-02-09T15:33:26", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-09T15:33:26.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:47:58.413573192Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:33:26\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"08d8bb01-c269-4a92-9929-a1a89b729512\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"528b5206-f6de-4c1f-86db-5f750a9960c9\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:33:26.1037807Z\"},{\"Name\":\"env_epoch\",\"Value\":\"31CXC\"},{\"Name\":\"env_seqNum\",\"Value\":\"38438635\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1_00000000-0000-0000-0000-000000000000_ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR556\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"8f6eb24b-6e61-4ee2-a376-31368c300613\",\"ModifiedProperties\":[{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"594c1fb6-4f81-4475-ae41-0c394909246c\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Update application.", - "id": "8f6eb24b-6e61-4ee2-a376-31368c300613", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "Not Available" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-09T15:33:26.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Update application.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "8f6eb24b-6e61-4ee2-a376-31368c300613", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:33:26\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"08d8bb01-c269-4a92-9929-a1a89b729512\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"528b5206-f6de-4c1f-86db-5f750a9960c9\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:33:26.1037807Z\"},{\"Name\":\"env_epoch\",\"Value\":\"31CXC\"},{\"Name\":\"env_seqNum\",\"Value\":\"38438635\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1_00000000-0000-0000-0000-000000000000_ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR556\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"8f6eb24b-6e61-4ee2-a376-31368c300613\",\"ModifiedProperties\":[{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"594c1fb6-4f81-4475-ae41-0c394909246c\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "Not Available", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-09T15:33:26", "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "siem", - "env_appId": "restdirectoryservice", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-09T15:33:26.1037807Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "08d8bb01-c269-4a92-9929-a1a89b729512", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "auditEventCategory": "ApplicationManagement", "correlationId": "528b5206-f6de-4c1f-86db-5f750a9960c9", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", "env_cloud_roleInstance": "AM5RRDSR556", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", "env_cv": "##ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1_00000000-0000-0000-0000-000000000000_ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1", - "resultType": "Success", - "actorUPN": "asr@testsiem.onmicrosoft.com", - "auditEventCategory": "ApplicationManagement", + "env_epoch": "31CXC", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", "env_popSample": "0", "env_seqNum": "38438635", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", + "env_time": "2020-02-09T15:33:26.1037807Z", "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"RequiredResourceAccess\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", "extendedAuditEventCategory": "Application", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "env_epoch": "31CXC", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"RequiredResourceAccess\"]", + "targetName": "siem", + "targetObjectId": "08d8bb01-c269-4a92-9929-a1a89b729512", + "teamName": "MSODS.", + "version": "2" }, - "Target": [ - { - "Type": 2, - "ID": "Application_08d8bb01-c269-4a92-9929-a1a89b729512" - }, - { - "Type": 2, - "ID": "08d8bb01-c269-4a92-9929-a1a89b729512" - }, - { - "Type": 2, - "ID": "Application" - }, - { - "Type": 1, - "ID": "siem" - } - ], - "RecordType": "8", "ModifiedProperties": { "Included_Updated_Properties": { - "OldValue": "", - "NewValue": "RequiredResourceAccess" + "NewValue": "RequiredResourceAccess", + "OldValue": "" }, "RequiredResourceAccess": { - "OldValue": "[\r\n {\r\n \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n },\r\n {\r\n \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"594c1fb6-4f81-4475-ae41-0c394909246c\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n },\r\n {\r\n \"EntitlementId\": \"4807a72c-ad38-4250-94c9-4eabfe26cd55\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n },\r\n {\r\n \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]", - "NewValue": "[\r\n {\r\n \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"4807a72c-ad38-4250-94c9-4eabfe26cd55\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n },\r\n {\r\n \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n },\r\n {\r\n \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]" + "NewValue": "[\r\n {\r\n \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"4807a72c-ad38-4250-94c9-4eabfe26cd55\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n },\r\n {\r\n \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n },\r\n {\r\n \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]", + "OldValue": "[\r\n {\r\n \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n },\r\n {\r\n \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"594c1fb6-4f81-4475-ae41-0c394909246c\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n },\r\n {\r\n \"EntitlementId\": \"4807a72c-ad38-4250-94c9-4eabfe26cd55\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n },\r\n {\r\n \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]" } }, - "Version": "1", + "ObjectId": "Not Available", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ - { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" - }, - { - "Type": 3, - "ID": "1003200096971F55" - }, + "Target": [ { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "Application_08d8bb01-c269-4a92-9929-a1a89b729512", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "08d8bb01-c269-4a92-9929-a1a89b729512", + "Type": 2 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "Application", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "siem", + "Type": 1 } ], - "CreationTime": "2020-02-09T15:33:26", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-09T15:33:26.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:47:58.413574331Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:33:26\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"08d8bb01-c269-4a92-9929-a1a89b729512\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"528b5206-f6de-4c1f-86db-5f750a9960c9\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:33:26.1037807Z\"},{\"Name\":\"env_epoch\",\"Value\":\"31CXC\"},{\"Name\":\"env_seqNum\",\"Value\":\"38438635\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1_00000000-0000-0000-0000-000000000000_ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR556\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"8f6eb24b-6e61-4ee2-a376-31368c300613\",\"ModifiedProperties\":[{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"594c1fb6-4f81-4475-ae41-0c394909246c\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Update application.", - "id": "8f6eb24b-6e61-4ee2-a376-31368c300613", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "Not Available" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-09T15:33:26.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Update service principal.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "b2cc2456-5ac5-4399-b960-82a40036476f", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:33:26\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"528b5206-f6de-4c1f-86db-5f750a9960c9\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:33:26.1638042Z\"},{\"Name\":\"env_epoch\",\"Value\":\"31CXC\"},{\"Name\":\"env_seqNum\",\"Value\":\"38438642\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1_00000000-0000-0000-0000-000000000000_ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR556\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"b2cc2456-5ac5-4399-b960-82a40036476f\",\"ModifiedProperties\":[{\"Name\":\"Included Updated Properties\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"}],\"ObjectId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Operation\":\"Update service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":2},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "71a0194b-b70c-44a6-82f2-d4670aee4585", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "67.43.156.15", - "ExtendedProperties": { - "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "siem", - "env_appId": "restdirectoryservice", - "targetSPN": "71a0194b-b70c-44a6-82f2-d4670aee4585", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", - "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-09T15:33:26.1638042Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "5c242833-909c-4c6b-bca3-50feaaa98d23", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", - "correlationId": "528b5206-f6de-4c1f-86db-5f750a9960c9", - "env_cloud_roleInstance": "AM5RRDSR556", - "env_cv": "##ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1_00000000-0000-0000-0000-000000000000_ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1", - "resultType": "Success", - "auditEventCategory": "ApplicationManagement", - "actorUPN": "asr@testsiem.onmicrosoft.com", - "env_popSample": "0", - "env_seqNum": "38438642", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", - "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"TargetId.ServicePrincipalNames\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "extendedAuditEventCategory": "ServicePrincipal", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "env_epoch": "31CXC", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" - }, - "Target": [ + "Actor": [ { - "Type": 2, - "ID": "ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23" + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 }, { - "Type": 2, - "ID": "5c242833-909c-4c6b-bca3-50feaaa98d23" + "ID": "1003200096971F55", + "Type": 3 }, { - "Type": 2, - "ID": "ServicePrincipal" + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "Type": 1, - "ID": "siem" + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 2, - "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585" + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 4, - "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585" + "ID": "User", + "Type": 2 } ], - "RecordType": "8", + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-09T15:33:26", + "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "actorObjectClass": "User", + "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "auditEventCategory": "ApplicationManagement", + "correlationId": "528b5206-f6de-4c1f-86db-5f750a9960c9", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", + "env_cloud_roleInstance": "AM5RRDSR556", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", + "env_cv": "##ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1_00000000-0000-0000-0000-000000000000_ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1", + "env_epoch": "31CXC", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", + "env_popSample": "0", + "env_seqNum": "38438642", + "env_time": "2020-02-09T15:33:26.1638042Z", + "env_ver": "2.1", + "extendedAuditEventCategory": "ServicePrincipal", + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"TargetId.ServicePrincipalNames\"]", + "targetName": "siem", + "targetObjectId": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "targetSPN": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "teamName": "MSODS.", + "version": "2" + }, "ModifiedProperties": { "Included_Updated_Properties": { - "OldValue": "", - "NewValue": "" + "NewValue": "", + "OldValue": "" }, "TargetId_ServicePrincipalNames": { - "OldValue": "", - "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585" + "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "OldValue": "" } }, - "Version": "1", + "ObjectId": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ + "Target": [ { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" + "ID": "ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23", + "Type": 2 }, { - "Type": 3, - "ID": "1003200096971F55" + "ID": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "Type": 2 }, { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "ServicePrincipal", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "siem", + "Type": 1 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "Type": 4 } ], - "CreationTime": "2020-02-09T15:33:26", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-09T15:33:26.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:47:58.413575282Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:33:26\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"528b5206-f6de-4c1f-86db-5f750a9960c9\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:33:26.1638042Z\"},{\"Name\":\"env_epoch\",\"Value\":\"31CXC\"},{\"Name\":\"env_seqNum\",\"Value\":\"38438642\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1_00000000-0000-0000-0000-000000000000_ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR556\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"b2cc2456-5ac5-4399-b960-82a40036476f\",\"ModifiedProperties\":[{\"Name\":\"Included Updated Properties\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"}],\"ObjectId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Operation\":\"Update service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":2},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Update service principal.", - "id": "b2cc2456-5ac5-4399-b960-82a40036476f", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "71a0194b-b70c-44a6-82f2-d4670aee4585" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-09T15:33:26.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Update service principal.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "b2cc2456-5ac5-4399-b960-82a40036476f", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:33:26\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"528b5206-f6de-4c1f-86db-5f750a9960c9\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:33:26.1638042Z\"},{\"Name\":\"env_epoch\",\"Value\":\"31CXC\"},{\"Name\":\"env_seqNum\",\"Value\":\"38438642\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1_00000000-0000-0000-0000-000000000000_ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR556\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"b2cc2456-5ac5-4399-b960-82a40036476f\",\"ModifiedProperties\":[{\"Name\":\"Included Updated Properties\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"}],\"ObjectId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Operation\":\"Update service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":2},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "71a0194b-b70c-44a6-82f2-d4670aee4585", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "67.43.156.15", - "ExtendedProperties": { - "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "siem", - "env_appId": "restdirectoryservice", - "targetSPN": "71a0194b-b70c-44a6-82f2-d4670aee4585", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", - "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-09T15:33:26.1638042Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "5c242833-909c-4c6b-bca3-50feaaa98d23", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", - "correlationId": "528b5206-f6de-4c1f-86db-5f750a9960c9", - "env_cloud_roleInstance": "AM5RRDSR556", - "env_cv": "##ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1_00000000-0000-0000-0000-000000000000_ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1", - "resultType": "Success", - "auditEventCategory": "ApplicationManagement", - "actorUPN": "asr@testsiem.onmicrosoft.com", - "env_popSample": "0", - "env_seqNum": "38438642", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", - "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"TargetId.ServicePrincipalNames\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "extendedAuditEventCategory": "ServicePrincipal", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "env_epoch": "31CXC", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" - }, - "Target": [ + "Actor": [ { - "Type": 2, - "ID": "ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23" + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 }, { - "Type": 2, - "ID": "5c242833-909c-4c6b-bca3-50feaaa98d23" + "ID": "1003200096971F55", + "Type": 3 }, { - "Type": 2, - "ID": "ServicePrincipal" + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "Type": 1, - "ID": "siem" + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 2, - "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585" + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 4, - "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585" + "ID": "User", + "Type": 2 } ], - "RecordType": "8", - "ModifiedProperties": { - "Included_Updated_Properties": { - "OldValue": "", - "NewValue": "" + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-09T15:33:26", + "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "actorObjectClass": "User", + "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "auditEventCategory": "ApplicationManagement", + "correlationId": "528b5206-f6de-4c1f-86db-5f750a9960c9", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", + "env_cloud_roleInstance": "AM5RRDSR556", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", + "env_cv": "##ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1_00000000-0000-0000-0000-000000000000_ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1", + "env_epoch": "31CXC", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", + "env_popSample": "0", + "env_seqNum": "38438642", + "env_time": "2020-02-09T15:33:26.1638042Z", + "env_ver": "2.1", + "extendedAuditEventCategory": "ServicePrincipal", + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"TargetId.ServicePrincipalNames\"]", + "targetName": "siem", + "targetObjectId": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "targetSPN": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "teamName": "MSODS.", + "version": "2" + }, + "ModifiedProperties": { + "Included_Updated_Properties": { + "NewValue": "", + "OldValue": "" }, "TargetId_ServicePrincipalNames": { - "OldValue": "", - "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585" + "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "OldValue": "" } }, - "Version": "1", + "ObjectId": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ + "Target": [ { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" + "ID": "ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23", + "Type": 2 }, { - "Type": 3, - "ID": "1003200096971F55" + "ID": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "Type": 2 }, { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "ServicePrincipal", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "siem", + "Type": 1 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "Type": 4 } ], - "CreationTime": "2020-02-09T15:33:26", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-09T15:33:26.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:47:58.413576409Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:33:26\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"528b5206-f6de-4c1f-86db-5f750a9960c9\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:33:26.1638042Z\"},{\"Name\":\"env_epoch\",\"Value\":\"31CXC\"},{\"Name\":\"env_seqNum\",\"Value\":\"38438642\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1_00000000-0000-0000-0000-000000000000_ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR556\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"b2cc2456-5ac5-4399-b960-82a40036476f\",\"ModifiedProperties\":[{\"Name\":\"Included Updated Properties\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"}],\"ObjectId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Operation\":\"Update service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":2},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Update service principal.", - "id": "b2cc2456-5ac5-4399-b960-82a40036476f", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "71a0194b-b70c-44a6-82f2-d4670aee4585" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-09T15:34:06.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Remove app role assignment from service principal.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "7f09b681-251f-4ff0-97cf-5247891b6981", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:34:06\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"ac045271-8d7f-49b2-abc9-5130051d879f\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:06.3062012Z\"},{\"Name\":\"env_epoch\",\"Value\":\"31CXC\"},{\"Name\":\"env_seqNum\",\"Value\":\"38464425\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##2b06f483-d288-458d-b40b-af7ad69a2407_00000000-0000-0000-0000-000000000000_2b06f483-d288-458d-b40b-af7ad69a2407\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR556\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"7f09b681-251f-4ff0-97cf-5247891b6981\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Remove app role assignment from service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "67.43.156.15", - "ExtendedProperties": { - "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "Office 365 Management APIs", - "env_appId": "restdirectoryservice", - "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", - "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-09T15:34:06.3062012Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", - "correlationId": "ac045271-8d7f-49b2-abc9-5130051d879f", - "env_cloud_roleInstance": "AM5RRDSR556", - "env_cv": "##2b06f483-d288-458d-b40b-af7ad69a2407_00000000-0000-0000-0000-000000000000_2b06f483-d288-458d-b40b-af7ad69a2407", - "resultType": "Success", - "actorUPN": "asr@testsiem.onmicrosoft.com", - "auditEventCategory": "ApplicationManagement", - "env_popSample": "0", - "env_seqNum": "38464425", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", - "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "extendedAuditEventCategory": "ServicePrincipal", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", - "env_epoch": "31CXC", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" - }, - "Target": [ + "Actor": [ { - "Type": 2, - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad" + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 }, { - "Type": 2, - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad" + "ID": "1003200096971F55", + "Type": 3 }, { - "Type": 2, - "ID": "ServicePrincipal" + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "Type": 1, - "ID": "Office 365 Management APIs" + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 2, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2" + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 4, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" + "ID": "User", + "Type": 2 } ], - "RecordType": "8", + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-09T15:34:06", + "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "actorObjectClass": "User", + "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", + "auditEventCategory": "ApplicationManagement", + "correlationId": "ac045271-8d7f-49b2-abc9-5130051d879f", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", + "env_cloud_roleInstance": "AM5RRDSR556", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", + "env_cv": "##2b06f483-d288-458d-b40b-af7ad69a2407_00000000-0000-0000-0000-000000000000_2b06f483-d288-458d-b40b-af7ad69a2407", + "env_epoch": "31CXC", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", + "env_popSample": "0", + "env_seqNum": "38464425", + "env_time": "2020-02-09T15:34:06.3062012Z", + "env_ver": "2.1", + "extendedAuditEventCategory": "ServicePrincipal", + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "targetName": "Office 365 Management APIs", + "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "teamName": "MSODS.", + "version": "2" + }, "ModifiedProperties": { - "ServicePrincipal_Name": { - "OldValue": "", - "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585" - }, - "TargetId_ServicePrincipalNames": { - "OldValue": "", - "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" + "ServicePrincipal_AppId": { + "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "OldValue": "" }, "ServicePrincipal_DisplayName": { - "OldValue": "", - "NewValue": "siem" + "NewValue": "siem", + "OldValue": "" }, - "ServicePrincipal_AppId": { - "OldValue": "", - "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585" + "ServicePrincipal_Name": { + "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "OldValue": "" }, "ServicePrincipal_ObjectID": { - "OldValue": "", - "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23" + "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "OldValue": "" + }, + "TargetId_ServicePrincipalNames": { + "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "OldValue": "" } }, - "Version": "1", + "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ + "Target": [ { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 3, - "ID": "1003200096971F55" + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "ServicePrincipal", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 } ], - "CreationTime": "2020-02-09T15:34:06", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-09T15:34:06.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:47:58.413577401Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:34:06\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"ac045271-8d7f-49b2-abc9-5130051d879f\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:06.3062012Z\"},{\"Name\":\"env_epoch\",\"Value\":\"31CXC\"},{\"Name\":\"env_seqNum\",\"Value\":\"38464425\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##2b06f483-d288-458d-b40b-af7ad69a2407_00000000-0000-0000-0000-000000000000_2b06f483-d288-458d-b40b-af7ad69a2407\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR556\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"7f09b681-251f-4ff0-97cf-5247891b6981\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Remove app role assignment from service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Remove app role assignment from service principal.", - "id": "7f09b681-251f-4ff0-97cf-5247891b6981", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-09T15:34:06.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "d8a2ae24-a752-4f8e-adca-c57189a76a71", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:34:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"ac045271-8d7f-49b2-abc9-5130051d879f\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:06.3062012Z\"},{\"Name\":\"env_epoch\",\"Value\":\"31CXC\"},{\"Name\":\"env_seqNum\",\"Value\":\"38464434\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##2b06f483-d288-458d-b40b-af7ad69a2407_00000000-0000-0000-0000-000000000000_2b06f483-d288-458d-b40b-af7ad69a2407\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR556\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"d8a2ae24-a752-4f8e-adca-c57189a76a71\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "67.43.156.15", - "ExtendedProperties": { - "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "Office 365 Management APIs", - "env_appId": "restdirectoryservice", - "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", - "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-09T15:34:06.3062012Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", - "correlationId": "ac045271-8d7f-49b2-abc9-5130051d879f", - "env_cloud_roleInstance": "AM5RRDSR556", - "env_cv": "##2b06f483-d288-458d-b40b-af7ad69a2407_00000000-0000-0000-0000-000000000000_2b06f483-d288-458d-b40b-af7ad69a2407", - "resultType": "Success", - "auditEventCategory": "ApplicationManagement", - "actorUPN": "asr@testsiem.onmicrosoft.com", - "env_popSample": "0", - "env_seqNum": "38464434", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", - "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "extendedAuditEventCategory": "ServicePrincipal", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", - "env_epoch": "31CXC", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" - }, - "Target": [ + "Actor": [ { - "Type": 2, - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad" + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 }, { - "Type": 2, - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad" + "ID": "1003200096971F55", + "Type": 3 }, { - "Type": 2, - "ID": "ServicePrincipal" + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "Type": 1, - "ID": "Office 365 Management APIs" + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 2, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2" + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 4, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" + "ID": "User", + "Type": 2 } ], - "RecordType": "8", + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-09T15:34:06", + "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "actorObjectClass": "User", + "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", + "auditEventCategory": "ApplicationManagement", + "correlationId": "ac045271-8d7f-49b2-abc9-5130051d879f", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", + "env_cloud_roleInstance": "AM5RRDSR556", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", + "env_cv": "##2b06f483-d288-458d-b40b-af7ad69a2407_00000000-0000-0000-0000-000000000000_2b06f483-d288-458d-b40b-af7ad69a2407", + "env_epoch": "31CXC", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", + "env_popSample": "0", + "env_seqNum": "38464434", + "env_time": "2020-02-09T15:34:06.3062012Z", + "env_ver": "2.1", + "extendedAuditEventCategory": "ServicePrincipal", + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "targetName": "Office 365 Management APIs", + "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "teamName": "MSODS.", + "version": "2" + }, "ModifiedProperties": { - "ServicePrincipal_Name": { - "OldValue": "", - "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585" - }, - "TargetId_ServicePrincipalNames": { - "OldValue": "", - "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" + "ServicePrincipal_AppId": { + "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "OldValue": "" }, "ServicePrincipal_DisplayName": { - "OldValue": "", - "NewValue": "siem" + "NewValue": "siem", + "OldValue": "" }, - "ServicePrincipal_AppId": { - "OldValue": "", - "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585" + "ServicePrincipal_Name": { + "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "OldValue": "" }, "ServicePrincipal_ObjectID": { - "OldValue": "", - "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23" + "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "OldValue": "" + }, + "TargetId_ServicePrincipalNames": { + "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "OldValue": "" } }, - "Version": "1", + "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ + "Target": [ { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 3, - "ID": "1003200096971F55" + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "ServicePrincipal", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 } ], - "CreationTime": "2020-02-09T15:34:06", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-09T15:34:06.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:47:58.413578565Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:34:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"ac045271-8d7f-49b2-abc9-5130051d879f\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:06.3062012Z\"},{\"Name\":\"env_epoch\",\"Value\":\"31CXC\"},{\"Name\":\"env_seqNum\",\"Value\":\"38464434\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##2b06f483-d288-458d-b40b-af7ad69a2407_00000000-0000-0000-0000-000000000000_2b06f483-d288-458d-b40b-af7ad69a2407\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR556\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"d8a2ae24-a752-4f8e-adca-c57189a76a71\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", - "id": "d8a2ae24-a752-4f8e-adca-c57189a76a71", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-09T15:34:06.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Remove app role assignment from service principal.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "7f09b681-251f-4ff0-97cf-5247891b6981", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:34:06\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"ac045271-8d7f-49b2-abc9-5130051d879f\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:06.3062012Z\"},{\"Name\":\"env_epoch\",\"Value\":\"31CXC\"},{\"Name\":\"env_seqNum\",\"Value\":\"38464425\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##2b06f483-d288-458d-b40b-af7ad69a2407_00000000-0000-0000-0000-000000000000_2b06f483-d288-458d-b40b-af7ad69a2407\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR556\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"7f09b681-251f-4ff0-97cf-5247891b6981\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Remove app role assignment from service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-09T15:34:06", "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "Office 365 Management APIs", - "env_appId": "restdirectoryservice", - "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-09T15:34:06.3062012Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", - "correlationId": "ac045271-8d7f-49b2-abc9-5130051d879f", - "env_cloud_roleInstance": "AM5RRDSR556", - "env_cv": "##2b06f483-d288-458d-b40b-af7ad69a2407_00000000-0000-0000-0000-000000000000_2b06f483-d288-458d-b40b-af7ad69a2407", - "resultType": "Success", + "actorPUID": "1003200096971F55", "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", "auditEventCategory": "ApplicationManagement", - "env_popSample": "0", - "env_seqNum": "38464425", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "correlationId": "ac045271-8d7f-49b2-abc9-5130051d879f", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", "env_cloud_name": "MSO-AM5R", - "env_ver": "2.1", + "env_cloud_role": "restdirectoryservice", + "env_cloud_roleInstance": "AM5RRDSR556", "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "extendedAuditEventCategory": "ServicePrincipal", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", + "env_cloud_ver": "1.0", + "env_cv": "##2b06f483-d288-458d-b40b-af7ad69a2407_00000000-0000-0000-0000-000000000000_2b06f483-d288-458d-b40b-af7ad69a2407", "env_epoch": "31CXC", "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", + "env_popSample": "0", + "env_seqNum": "38464425", + "env_time": "2020-02-09T15:34:06.3062012Z", + "env_ver": "2.1", + "extendedAuditEventCategory": "ServicePrincipal", + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "targetName": "Office 365 Management APIs", + "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "teamName": "MSODS.", + "version": "2" }, - "Target": [ - { - "Type": 2, - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad" - }, - { - "Type": 2, - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad" - }, - { - "Type": 2, - "ID": "ServicePrincipal" - }, - { - "Type": 1, - "ID": "Office 365 Management APIs" - }, - { - "Type": 2, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2" - }, - { - "Type": 4, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" - } - ], - "RecordType": "8", "ModifiedProperties": { - "ServicePrincipal_Name": { - "OldValue": "", - "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585" - }, - "TargetId_ServicePrincipalNames": { - "OldValue": "", - "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" + "ServicePrincipal_AppId": { + "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "OldValue": "" }, "ServicePrincipal_DisplayName": { - "OldValue": "", - "NewValue": "siem" + "NewValue": "siem", + "OldValue": "" }, - "ServicePrincipal_AppId": { - "OldValue": "", - "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585" + "ServicePrincipal_Name": { + "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "OldValue": "" }, "ServicePrincipal_ObjectID": { - "OldValue": "", - "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23" + "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "OldValue": "" + }, + "TargetId_ServicePrincipalNames": { + "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "OldValue": "" } }, - "Version": "1", + "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ + "Target": [ { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 3, - "ID": "1003200096971F55" + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "ServicePrincipal", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 } ], - "CreationTime": "2020-02-09T15:34:06", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-09T15:34:06.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:47:58.413579634Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:34:06\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"ac045271-8d7f-49b2-abc9-5130051d879f\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:06.3062012Z\"},{\"Name\":\"env_epoch\",\"Value\":\"31CXC\"},{\"Name\":\"env_seqNum\",\"Value\":\"38464425\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##2b06f483-d288-458d-b40b-af7ad69a2407_00000000-0000-0000-0000-000000000000_2b06f483-d288-458d-b40b-af7ad69a2407\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR556\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"7f09b681-251f-4ff0-97cf-5247891b6981\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Remove app role assignment from service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Remove app role assignment from service principal.", - "id": "7f09b681-251f-4ff0-97cf-5247891b6981", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-09T15:34:06.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "d8a2ae24-a752-4f8e-adca-c57189a76a71", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:34:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"ac045271-8d7f-49b2-abc9-5130051d879f\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:06.3062012Z\"},{\"Name\":\"env_epoch\",\"Value\":\"31CXC\"},{\"Name\":\"env_seqNum\",\"Value\":\"38464434\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##2b06f483-d288-458d-b40b-af7ad69a2407_00000000-0000-0000-0000-000000000000_2b06f483-d288-458d-b40b-af7ad69a2407\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR556\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"d8a2ae24-a752-4f8e-adca-c57189a76a71\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "67.43.156.15", - "ExtendedProperties": { - "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "Office 365 Management APIs", - "env_appId": "restdirectoryservice", - "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", - "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-09T15:34:06.3062012Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", - "correlationId": "ac045271-8d7f-49b2-abc9-5130051d879f", - "env_cloud_roleInstance": "AM5RRDSR556", - "env_cv": "##2b06f483-d288-458d-b40b-af7ad69a2407_00000000-0000-0000-0000-000000000000_2b06f483-d288-458d-b40b-af7ad69a2407", - "resultType": "Success", - "auditEventCategory": "ApplicationManagement", - "actorUPN": "asr@testsiem.onmicrosoft.com", - "env_popSample": "0", - "env_seqNum": "38464434", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", - "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "extendedAuditEventCategory": "ServicePrincipal", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", - "env_epoch": "31CXC", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" - }, - "Target": [ + "Actor": [ { - "Type": 2, - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad" + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 }, { - "Type": 2, - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad" + "ID": "1003200096971F55", + "Type": 3 }, { - "Type": 2, - "ID": "ServicePrincipal" + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "Type": 1, - "ID": "Office 365 Management APIs" + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 2, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2" + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 4, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" + "ID": "User", + "Type": 2 } ], - "RecordType": "8", + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-09T15:34:06", + "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "actorObjectClass": "User", + "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", + "auditEventCategory": "ApplicationManagement", + "correlationId": "ac045271-8d7f-49b2-abc9-5130051d879f", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", + "env_cloud_roleInstance": "AM5RRDSR556", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", + "env_cv": "##2b06f483-d288-458d-b40b-af7ad69a2407_00000000-0000-0000-0000-000000000000_2b06f483-d288-458d-b40b-af7ad69a2407", + "env_epoch": "31CXC", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", + "env_popSample": "0", + "env_seqNum": "38464434", + "env_time": "2020-02-09T15:34:06.3062012Z", + "env_ver": "2.1", + "extendedAuditEventCategory": "ServicePrincipal", + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "targetName": "Office 365 Management APIs", + "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "teamName": "MSODS.", + "version": "2" + }, "ModifiedProperties": { - "ServicePrincipal_Name": { - "OldValue": "", - "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585" - }, - "TargetId_ServicePrincipalNames": { - "OldValue": "", - "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" + "ServicePrincipal_AppId": { + "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "OldValue": "" }, "ServicePrincipal_DisplayName": { - "OldValue": "", - "NewValue": "siem" + "NewValue": "siem", + "OldValue": "" }, - "ServicePrincipal_AppId": { - "OldValue": "", - "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585" + "ServicePrincipal_Name": { + "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "OldValue": "" }, "ServicePrincipal_ObjectID": { - "OldValue": "", - "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23" + "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "OldValue": "" + }, + "TargetId_ServicePrincipalNames": { + "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "OldValue": "" } }, - "Version": "1", + "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ + "Target": [ { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 3, - "ID": "1003200096971F55" + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "ServicePrincipal", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 } ], - "CreationTime": "2020-02-09T15:34:06", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-09T15:34:06.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:47:58.413580942Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:34:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"ac045271-8d7f-49b2-abc9-5130051d879f\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:06.3062012Z\"},{\"Name\":\"env_epoch\",\"Value\":\"31CXC\"},{\"Name\":\"env_seqNum\",\"Value\":\"38464434\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##2b06f483-d288-458d-b40b-af7ad69a2407_00000000-0000-0000-0000-000000000000_2b06f483-d288-458d-b40b-af7ad69a2407\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR556\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"d8a2ae24-a752-4f8e-adca-c57189a76a71\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", - "id": "d8a2ae24-a752-4f8e-adca-c57189a76a71", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-09T15:34:06.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Remove app role assignment from service principal.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "7f09b681-251f-4ff0-97cf-5247891b6981", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:34:06\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"ac045271-8d7f-49b2-abc9-5130051d879f\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:06.3062012Z\"},{\"Name\":\"env_epoch\",\"Value\":\"31CXC\"},{\"Name\":\"env_seqNum\",\"Value\":\"38464425\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##2b06f483-d288-458d-b40b-af7ad69a2407_00000000-0000-0000-0000-000000000000_2b06f483-d288-458d-b40b-af7ad69a2407\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR556\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"7f09b681-251f-4ff0-97cf-5247891b6981\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Remove app role assignment from service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "67.43.156.15", - "ExtendedProperties": { - "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "Office 365 Management APIs", - "env_appId": "restdirectoryservice", - "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", - "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-09T15:34:06.3062012Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", - "correlationId": "ac045271-8d7f-49b2-abc9-5130051d879f", - "env_cloud_roleInstance": "AM5RRDSR556", - "env_cv": "##2b06f483-d288-458d-b40b-af7ad69a2407_00000000-0000-0000-0000-000000000000_2b06f483-d288-458d-b40b-af7ad69a2407", - "resultType": "Success", - "actorUPN": "asr@testsiem.onmicrosoft.com", - "auditEventCategory": "ApplicationManagement", - "env_popSample": "0", - "env_seqNum": "38464425", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", - "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "extendedAuditEventCategory": "ServicePrincipal", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", - "env_epoch": "31CXC", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" - }, - "Target": [ + "Actor": [ { - "Type": 2, - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad" + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 }, { - "Type": 2, - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad" + "ID": "1003200096971F55", + "Type": 3 }, { - "Type": 2, - "ID": "ServicePrincipal" + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "Type": 1, - "ID": "Office 365 Management APIs" + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 2, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2" + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 4, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" + "ID": "User", + "Type": 2 } ], - "RecordType": "8", + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-09T15:34:06", + "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "actorObjectClass": "User", + "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", + "auditEventCategory": "ApplicationManagement", + "correlationId": "ac045271-8d7f-49b2-abc9-5130051d879f", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", + "env_cloud_roleInstance": "AM5RRDSR556", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", + "env_cv": "##2b06f483-d288-458d-b40b-af7ad69a2407_00000000-0000-0000-0000-000000000000_2b06f483-d288-458d-b40b-af7ad69a2407", + "env_epoch": "31CXC", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", + "env_popSample": "0", + "env_seqNum": "38464425", + "env_time": "2020-02-09T15:34:06.3062012Z", + "env_ver": "2.1", + "extendedAuditEventCategory": "ServicePrincipal", + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "targetName": "Office 365 Management APIs", + "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "teamName": "MSODS.", + "version": "2" + }, "ModifiedProperties": { - "ServicePrincipal_Name": { - "OldValue": "", - "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585" - }, - "TargetId_ServicePrincipalNames": { - "OldValue": "", - "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" + "ServicePrincipal_AppId": { + "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "OldValue": "" }, "ServicePrincipal_DisplayName": { - "OldValue": "", - "NewValue": "siem" + "NewValue": "siem", + "OldValue": "" }, - "ServicePrincipal_AppId": { - "OldValue": "", - "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585" + "ServicePrincipal_Name": { + "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "OldValue": "" }, "ServicePrincipal_ObjectID": { - "OldValue": "", - "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23" + "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "OldValue": "" + }, + "TargetId_ServicePrincipalNames": { + "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "OldValue": "" } }, - "Version": "1", + "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ + "Target": [ { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 3, - "ID": "1003200096971F55" + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "ServicePrincipal", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 } ], - "CreationTime": "2020-02-09T15:34:06", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-09T15:34:06.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:47:58.413581941Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:34:06\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"ac045271-8d7f-49b2-abc9-5130051d879f\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:06.3062012Z\"},{\"Name\":\"env_epoch\",\"Value\":\"31CXC\"},{\"Name\":\"env_seqNum\",\"Value\":\"38464425\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##2b06f483-d288-458d-b40b-af7ad69a2407_00000000-0000-0000-0000-000000000000_2b06f483-d288-458d-b40b-af7ad69a2407\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR556\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"7f09b681-251f-4ff0-97cf-5247891b6981\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Remove app role assignment from service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Remove app role assignment from service principal.", - "id": "7f09b681-251f-4ff0-97cf-5247891b6981", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-09T15:34:47.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "02868191-019a-453a-a3a9-a21f44898778", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:34:47\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"d37460cd-3d19-4ae9-9515-015f27036e74\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:47.4999796Z\"},{\"Name\":\"env_epoch\",\"Value\":\"FYE60\"},{\"Name\":\"env_seqNum\",\"Value\":\"51372061\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR568\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"02868191-019a-453a-a3a9-a21f44898778\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "67.43.156.15", - "ExtendedProperties": { - "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "Office 365 Management APIs", - "env_appId": "restdirectoryservice", - "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", - "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-09T15:34:47.4999796Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", - "correlationId": "d37460cd-3d19-4ae9-9515-015f27036e74", - "env_cloud_roleInstance": "AM5RRDSR568", - "env_cv": "##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555", - "resultType": "Success", - "auditEventCategory": "ApplicationManagement", - "actorUPN": "asr@testsiem.onmicrosoft.com", - "env_popSample": "0", - "env_seqNum": "51372061", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", - "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "extendedAuditEventCategory": "ServicePrincipal", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", - "env_epoch": "FYE60", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" - }, - "Target": [ + "Actor": [ { - "Type": 2, - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad" + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 }, { - "Type": 2, - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad" + "ID": "1003200096971F55", + "Type": 3 }, { - "Type": 2, - "ID": "ServicePrincipal" + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "Type": 1, - "ID": "Office 365 Management APIs" + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 2, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2" + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 4, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" + "ID": "User", + "Type": 2 } ], - "RecordType": "8", + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-09T15:34:47", + "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "actorObjectClass": "User", + "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", + "auditEventCategory": "ApplicationManagement", + "correlationId": "d37460cd-3d19-4ae9-9515-015f27036e74", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", + "env_cloud_roleInstance": "AM5RRDSR568", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", + "env_cv": "##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555", + "env_epoch": "FYE60", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", + "env_popSample": "0", + "env_seqNum": "51372061", + "env_time": "2020-02-09T15:34:47.4999796Z", + "env_ver": "2.1", + "extendedAuditEventCategory": "ServicePrincipal", + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "targetName": "Office 365 Management APIs", + "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "teamName": "MSODS.", + "version": "2" + }, "ModifiedProperties": { - "ServicePrincipal_Name": { - "OldValue": "", - "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585" - }, - "TargetId_ServicePrincipalNames": { - "OldValue": "", - "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" + "ServicePrincipal_AppId": { + "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "OldValue": "" }, "ServicePrincipal_DisplayName": { - "OldValue": "", - "NewValue": "siem" + "NewValue": "siem", + "OldValue": "" }, - "ServicePrincipal_AppId": { - "OldValue": "", - "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585" + "ServicePrincipal_Name": { + "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "OldValue": "" }, "ServicePrincipal_ObjectID": { - "OldValue": "", - "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23" + "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "OldValue": "" + }, + "TargetId_ServicePrincipalNames": { + "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "OldValue": "" } }, - "Version": "1", + "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ + "Target": [ { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 3, - "ID": "1003200096971F55" + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "ServicePrincipal", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 } ], - "CreationTime": "2020-02-09T15:34:47", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-09T15:34:47.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:47:58.413583265Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:34:47\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"d37460cd-3d19-4ae9-9515-015f27036e74\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:47.4999796Z\"},{\"Name\":\"env_epoch\",\"Value\":\"FYE60\"},{\"Name\":\"env_seqNum\",\"Value\":\"51372061\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR568\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"02868191-019a-453a-a3a9-a21f44898778\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", - "id": "02868191-019a-453a-a3a9-a21f44898778", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-09T15:34:47.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "02868191-019a-453a-a3a9-a21f44898778", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:34:47\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"d37460cd-3d19-4ae9-9515-015f27036e74\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:47.4999796Z\"},{\"Name\":\"env_epoch\",\"Value\":\"FYE60\"},{\"Name\":\"env_seqNum\",\"Value\":\"51372061\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR568\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"02868191-019a-453a-a3a9-a21f44898778\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-09T15:34:47", "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "Office 365 Management APIs", - "env_appId": "restdirectoryservice", - "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-09T15:34:47.4999796Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", + "auditEventCategory": "ApplicationManagement", "correlationId": "d37460cd-3d19-4ae9-9515-015f27036e74", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", "env_cloud_roleInstance": "AM5RRDSR568", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", "env_cv": "##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555", - "resultType": "Success", - "auditEventCategory": "ApplicationManagement", - "actorUPN": "asr@testsiem.onmicrosoft.com", + "env_epoch": "FYE60", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", "env_popSample": "0", "env_seqNum": "51372061", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", + "env_time": "2020-02-09T15:34:47.4999796Z", "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", "extendedAuditEventCategory": "ServicePrincipal", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", - "env_epoch": "FYE60", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "targetName": "Office 365 Management APIs", + "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "teamName": "MSODS.", + "version": "2" }, - "Target": [ - { - "Type": 2, - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad" - }, - { - "Type": 2, - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad" + "ModifiedProperties": { + "ServicePrincipal_AppId": { + "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "OldValue": "" }, - { - "Type": 2, - "ID": "ServicePrincipal" + "ServicePrincipal_DisplayName": { + "NewValue": "siem", + "OldValue": "" }, - { - "Type": 1, - "ID": "Office 365 Management APIs" + "ServicePrincipal_Name": { + "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "OldValue": "" }, - { - "Type": 2, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2" + "ServicePrincipal_ObjectID": { + "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "OldValue": "" }, - { - "Type": 4, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" - } - ], - "RecordType": "8", - "ModifiedProperties": { - "ServicePrincipal_Name": { - "OldValue": "", - "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585" - }, - "TargetId_ServicePrincipalNames": { - "OldValue": "", - "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" - }, - "ServicePrincipal_DisplayName": { - "OldValue": "", - "NewValue": "siem" - }, - "ServicePrincipal_AppId": { - "OldValue": "", - "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585" - }, - "ServicePrincipal_ObjectID": { - "OldValue": "", - "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23" + "TargetId_ServicePrincipalNames": { + "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "OldValue": "" } }, - "Version": "1", + "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ + "Target": [ { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 3, - "ID": "1003200096971F55" + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "ServicePrincipal", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 } ], - "CreationTime": "2020-02-09T15:34:47", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-09T15:34:47.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:47:58.413584371Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:34:47\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"d37460cd-3d19-4ae9-9515-015f27036e74\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:47.4999796Z\"},{\"Name\":\"env_epoch\",\"Value\":\"FYE60\"},{\"Name\":\"env_seqNum\",\"Value\":\"51372061\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR568\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"02868191-019a-453a-a3a9-a21f44898778\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", - "id": "02868191-019a-453a-a3a9-a21f44898778", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-09T15:34:47.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Remove app role assignment from service principal.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "115f72b6-e8e6-4710-98e9-63ccd20bf2ec", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:34:47\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"d37460cd-3d19-4ae9-9515-015f27036e74\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:47.4999796Z\"},{\"Name\":\"env_epoch\",\"Value\":\"FYE60\"},{\"Name\":\"env_seqNum\",\"Value\":\"51372052\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR568\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"115f72b6-e8e6-4710-98e9-63ccd20bf2ec\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Remove app role assignment from service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "67.43.156.15", - "ExtendedProperties": { - "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "Office 365 Management APIs", - "env_appId": "restdirectoryservice", - "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", - "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-09T15:34:47.4999796Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", - "correlationId": "d37460cd-3d19-4ae9-9515-015f27036e74", - "env_cloud_roleInstance": "AM5RRDSR568", - "env_cv": "##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555", - "resultType": "Success", - "auditEventCategory": "ApplicationManagement", - "actorUPN": "asr@testsiem.onmicrosoft.com", - "env_popSample": "0", - "env_seqNum": "51372052", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", - "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "extendedAuditEventCategory": "ServicePrincipal", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", - "env_epoch": "FYE60", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" - }, - "Target": [ + "Actor": [ { - "Type": 2, - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad" + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 }, { - "Type": 2, - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad" + "ID": "1003200096971F55", + "Type": 3 }, { - "Type": 2, - "ID": "ServicePrincipal" + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "Type": 1, - "ID": "Office 365 Management APIs" + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 2, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2" + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 4, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" + "ID": "User", + "Type": 2 } ], - "RecordType": "8", + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-09T15:34:47", + "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "actorObjectClass": "User", + "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", + "auditEventCategory": "ApplicationManagement", + "correlationId": "d37460cd-3d19-4ae9-9515-015f27036e74", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", + "env_cloud_roleInstance": "AM5RRDSR568", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", + "env_cv": "##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555", + "env_epoch": "FYE60", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", + "env_popSample": "0", + "env_seqNum": "51372052", + "env_time": "2020-02-09T15:34:47.4999796Z", + "env_ver": "2.1", + "extendedAuditEventCategory": "ServicePrincipal", + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "targetName": "Office 365 Management APIs", + "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "teamName": "MSODS.", + "version": "2" + }, "ModifiedProperties": { - "ServicePrincipal_Name": { - "OldValue": "", - "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585" - }, - "TargetId_ServicePrincipalNames": { - "OldValue": "", - "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" + "ServicePrincipal_AppId": { + "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "OldValue": "" }, "ServicePrincipal_DisplayName": { - "OldValue": "", - "NewValue": "siem" + "NewValue": "siem", + "OldValue": "" }, - "ServicePrincipal_AppId": { - "OldValue": "", - "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585" + "ServicePrincipal_Name": { + "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "OldValue": "" }, "ServicePrincipal_ObjectID": { - "OldValue": "", - "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23" + "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "OldValue": "" + }, + "TargetId_ServicePrincipalNames": { + "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "OldValue": "" } }, - "Version": "1", + "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ + "Target": [ { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 3, - "ID": "1003200096971F55" + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "ServicePrincipal", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 } ], - "CreationTime": "2020-02-09T15:34:47", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-09T15:34:47.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:47:58.413585389Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:34:47\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"d37460cd-3d19-4ae9-9515-015f27036e74\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:47.4999796Z\"},{\"Name\":\"env_epoch\",\"Value\":\"FYE60\"},{\"Name\":\"env_seqNum\",\"Value\":\"51372052\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR568\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"115f72b6-e8e6-4710-98e9-63ccd20bf2ec\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Remove app role assignment from service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Remove app role assignment from service principal.", - "id": "115f72b6-e8e6-4710-98e9-63ccd20bf2ec", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-09T15:34:47.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], - "network": { - "type": "ipv4" + "ecs": { + "version": "8.0.0" }, - "o365": { - "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "67.43.156.15", - "ExtendedProperties": { - "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "Office 365 Management APIs", - "env_appId": "restdirectoryservice", - "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", - "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-09T15:34:47.4999796Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", - "correlationId": "d37460cd-3d19-4ae9-9515-015f27036e74", - "env_cloud_roleInstance": "AM5RRDSR568", - "env_cv": "##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555", - "resultType": "Success", - "auditEventCategory": "ApplicationManagement", - "actorUPN": "asr@testsiem.onmicrosoft.com", - "env_popSample": "0", - "env_seqNum": "51372061", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", - "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "extendedAuditEventCategory": "ServicePrincipal", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", - "env_epoch": "FYE60", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" - }, - "Target": [ + "event": { + "action": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "02868191-019a-453a-a3a9-a21f44898778", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:34:47\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"d37460cd-3d19-4ae9-9515-015f27036e74\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:47.4999796Z\"},{\"Name\":\"env_epoch\",\"Value\":\"FYE60\"},{\"Name\":\"env_seqNum\",\"Value\":\"51372061\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR568\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"02868191-019a-453a-a3a9-a21f44898778\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, + "network": { + "type": "ipv4" + }, + "o365": { + "audit": { + "Actor": [ { - "Type": 2, - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad" + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 }, { - "Type": 2, - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad" + "ID": "1003200096971F55", + "Type": 3 }, { - "Type": 2, - "ID": "ServicePrincipal" + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "Type": 1, - "ID": "Office 365 Management APIs" + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 2, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2" + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 4, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" + "ID": "User", + "Type": 2 } ], - "RecordType": "8", + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-09T15:34:47", + "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "actorObjectClass": "User", + "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", + "auditEventCategory": "ApplicationManagement", + "correlationId": "d37460cd-3d19-4ae9-9515-015f27036e74", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", + "env_cloud_roleInstance": "AM5RRDSR568", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", + "env_cv": "##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555", + "env_epoch": "FYE60", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", + "env_popSample": "0", + "env_seqNum": "51372061", + "env_time": "2020-02-09T15:34:47.4999796Z", + "env_ver": "2.1", + "extendedAuditEventCategory": "ServicePrincipal", + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "targetName": "Office 365 Management APIs", + "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "teamName": "MSODS.", + "version": "2" + }, "ModifiedProperties": { - "ServicePrincipal_Name": { - "OldValue": "", - "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585" - }, - "TargetId_ServicePrincipalNames": { - "OldValue": "", - "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" + "ServicePrincipal_AppId": { + "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "OldValue": "" }, "ServicePrincipal_DisplayName": { - "OldValue": "", - "NewValue": "siem" + "NewValue": "siem", + "OldValue": "" }, - "ServicePrincipal_AppId": { - "OldValue": "", - "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585" + "ServicePrincipal_Name": { + "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "OldValue": "" }, "ServicePrincipal_ObjectID": { - "OldValue": "", - "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23" + "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "OldValue": "" + }, + "TargetId_ServicePrincipalNames": { + "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "OldValue": "" } }, - "Version": "1", + "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ + "Target": [ { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 3, - "ID": "1003200096971F55" + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "ServicePrincipal", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 } ], - "CreationTime": "2020-02-09T15:34:47", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-09T15:34:47.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:47:58.413586416Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:34:47\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"d37460cd-3d19-4ae9-9515-015f27036e74\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:47.4999796Z\"},{\"Name\":\"env_epoch\",\"Value\":\"FYE60\"},{\"Name\":\"env_seqNum\",\"Value\":\"51372061\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR568\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"02868191-019a-453a-a3a9-a21f44898778\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", - "id": "02868191-019a-453a-a3a9-a21f44898778", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-09T15:34:47.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Remove app role assignment from service principal.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "115f72b6-e8e6-4710-98e9-63ccd20bf2ec", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:34:47\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"d37460cd-3d19-4ae9-9515-015f27036e74\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:47.4999796Z\"},{\"Name\":\"env_epoch\",\"Value\":\"FYE60\"},{\"Name\":\"env_seqNum\",\"Value\":\"51372052\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR568\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"115f72b6-e8e6-4710-98e9-63ccd20bf2ec\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Remove app role assignment from service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "67.43.156.15", - "ExtendedProperties": { - "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "Office 365 Management APIs", - "env_appId": "restdirectoryservice", - "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", - "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-09T15:34:47.4999796Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", - "correlationId": "d37460cd-3d19-4ae9-9515-015f27036e74", - "env_cloud_roleInstance": "AM5RRDSR568", - "env_cv": "##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555", - "resultType": "Success", - "auditEventCategory": "ApplicationManagement", - "actorUPN": "asr@testsiem.onmicrosoft.com", - "env_popSample": "0", - "env_seqNum": "51372052", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", - "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "extendedAuditEventCategory": "ServicePrincipal", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", - "env_epoch": "FYE60", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" - }, - "Target": [ + "Actor": [ { - "Type": 2, - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad" + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 }, { - "Type": 2, - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad" + "ID": "1003200096971F55", + "Type": 3 }, { - "Type": 2, - "ID": "ServicePrincipal" + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "Type": 1, - "ID": "Office 365 Management APIs" + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 2, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2" + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 4, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" + "ID": "User", + "Type": 2 } ], - "RecordType": "8", - "ModifiedProperties": { - "ServicePrincipal_Name": { - "OldValue": "", - "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585" - }, - "TargetId_ServicePrincipalNames": { - "OldValue": "", - "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" - }, - "ServicePrincipal_DisplayName": { - "OldValue": "", - "NewValue": "siem" - }, - "ServicePrincipal_AppId": { - "OldValue": "", - "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585" - }, - "ServicePrincipal_ObjectID": { - "OldValue": "", - "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23" - } + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-09T15:34:47", + "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "actorObjectClass": "User", + "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", + "auditEventCategory": "ApplicationManagement", + "correlationId": "d37460cd-3d19-4ae9-9515-015f27036e74", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", + "env_cloud_roleInstance": "AM5RRDSR568", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", + "env_cv": "##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555", + "env_epoch": "FYE60", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", + "env_popSample": "0", + "env_seqNum": "51372052", + "env_time": "2020-02-09T15:34:47.4999796Z", + "env_ver": "2.1", + "extendedAuditEventCategory": "ServicePrincipal", + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "targetName": "Office 365 Management APIs", + "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "teamName": "MSODS.", + "version": "2" + }, + "ModifiedProperties": { + "ServicePrincipal_AppId": { + "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "OldValue": "" + }, + "ServicePrincipal_DisplayName": { + "NewValue": "siem", + "OldValue": "" + }, + "ServicePrincipal_Name": { + "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "OldValue": "" + }, + "ServicePrincipal_ObjectID": { + "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "OldValue": "" + }, + "TargetId_ServicePrincipalNames": { + "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "OldValue": "" + } }, - "Version": "1", + "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ + "Target": [ { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 3, - "ID": "1003200096971F55" + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "ServicePrincipal", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 } ], - "CreationTime": "2020-02-09T15:34:47", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-09T15:34:47.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:47:58.413587403Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:34:47\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"d37460cd-3d19-4ae9-9515-015f27036e74\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:47.4999796Z\"},{\"Name\":\"env_epoch\",\"Value\":\"FYE60\"},{\"Name\":\"env_seqNum\",\"Value\":\"51372052\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR568\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"115f72b6-e8e6-4710-98e9-63ccd20bf2ec\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Remove app role assignment from service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Remove app role assignment from service principal.", - "id": "115f72b6-e8e6-4710-98e9-63ccd20bf2ec", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-09T15:34:47.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Remove app role assignment from service principal.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "115f72b6-e8e6-4710-98e9-63ccd20bf2ec", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:34:47\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"d37460cd-3d19-4ae9-9515-015f27036e74\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:47.4999796Z\"},{\"Name\":\"env_epoch\",\"Value\":\"FYE60\"},{\"Name\":\"env_seqNum\",\"Value\":\"51372052\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR568\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"115f72b6-e8e6-4710-98e9-63ccd20bf2ec\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Remove app role assignment from service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "67.43.156.15", - "ExtendedProperties": { - "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "Office 365 Management APIs", - "env_appId": "restdirectoryservice", - "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", - "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-09T15:34:47.4999796Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", - "correlationId": "d37460cd-3d19-4ae9-9515-015f27036e74", - "env_cloud_roleInstance": "AM5RRDSR568", - "env_cv": "##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555", - "resultType": "Success", - "auditEventCategory": "ApplicationManagement", - "actorUPN": "asr@testsiem.onmicrosoft.com", - "env_popSample": "0", - "env_seqNum": "51372052", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", - "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "extendedAuditEventCategory": "ServicePrincipal", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", - "env_epoch": "FYE60", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" - }, - "Target": [ + "Actor": [ { - "Type": 2, - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad" + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 }, { - "Type": 2, - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad" + "ID": "1003200096971F55", + "Type": 3 }, { - "Type": 2, - "ID": "ServicePrincipal" + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "Type": 1, - "ID": "Office 365 Management APIs" + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 2, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2" + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 4, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" + "ID": "User", + "Type": 2 } ], - "RecordType": "8", + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-09T15:34:47", + "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "actorObjectClass": "User", + "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", + "auditEventCategory": "ApplicationManagement", + "correlationId": "d37460cd-3d19-4ae9-9515-015f27036e74", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", + "env_cloud_roleInstance": "AM5RRDSR568", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", + "env_cv": "##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555", + "env_epoch": "FYE60", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", + "env_popSample": "0", + "env_seqNum": "51372052", + "env_time": "2020-02-09T15:34:47.4999796Z", + "env_ver": "2.1", + "extendedAuditEventCategory": "ServicePrincipal", + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "targetName": "Office 365 Management APIs", + "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "teamName": "MSODS.", + "version": "2" + }, "ModifiedProperties": { - "ServicePrincipal_Name": { - "OldValue": "", - "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585" - }, - "TargetId_ServicePrincipalNames": { - "OldValue": "", - "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" + "ServicePrincipal_AppId": { + "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "OldValue": "" }, "ServicePrincipal_DisplayName": { - "OldValue": "", - "NewValue": "siem" + "NewValue": "siem", + "OldValue": "" }, - "ServicePrincipal_AppId": { - "OldValue": "", - "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585" + "ServicePrincipal_Name": { + "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "OldValue": "" }, "ServicePrincipal_ObjectID": { - "OldValue": "", - "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23" + "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "OldValue": "" + }, + "TargetId_ServicePrincipalNames": { + "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "OldValue": "" } }, - "Version": "1", + "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ + "Target": [ { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 3, - "ID": "1003200096971F55" + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "ServicePrincipal", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 } ], - "CreationTime": "2020-02-09T15:34:47", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-09T15:34:47.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "source": { + "ip": "67.43.156.15" }, + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", + "target": { + "id": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" + } + } + }, + { + "@timestamp": "2020-02-09T15:34:47.000Z", "client": { "address": "67.43.156.15", "ip": "67.43.156.15" }, + "ecs": { + "version": "8.0.0" + }, "event": { - "ingested": "2022-01-02T03:47:58.413588395Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:34:47\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"d37460cd-3d19-4ae9-9515-015f27036e74\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:47.4999796Z\"},{\"Name\":\"env_epoch\",\"Value\":\"FYE60\"},{\"Name\":\"env_seqNum\",\"Value\":\"51372052\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR568\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"115f72b6-e8e6-4710-98e9-63ccd20bf2ec\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Remove app role assignment from service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "action": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", + "category": [ + "web" + ], "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", + "id": "02868191-019a-453a-a3a9-a21f44898778", "kind": "event", - "action": "Remove app role assignment from service principal.", - "id": "115f72b6-e8e6-4710-98e9-63ccd20bf2ec", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:34:47\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"d37460cd-3d19-4ae9-9515-015f27036e74\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:47.4999796Z\"},{\"Name\":\"env_epoch\",\"Value\":\"FYE60\"},{\"Name\":\"env_seqNum\",\"Value\":\"51372061\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR568\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"02868191-019a-453a-a3a9-a21f44898778\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", "type": [ "info" - ], - "category": [ - "web" - ], - "outcome": "success" + ] }, - "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com", - "target": { - "id": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" - } - } - }, - { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, - "ip": "67.43.156.15" + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, - "tags": [ - "preserve_original_event" - ], "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "67.43.156.15", - "ExtendedProperties": { - "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "Office 365 Management APIs", - "env_appId": "restdirectoryservice", - "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", - "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-09T15:34:47.4999796Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", - "correlationId": "d37460cd-3d19-4ae9-9515-015f27036e74", - "env_cloud_roleInstance": "AM5RRDSR568", - "env_cv": "##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555", - "resultType": "Success", - "auditEventCategory": "ApplicationManagement", - "actorUPN": "asr@testsiem.onmicrosoft.com", - "env_popSample": "0", - "env_seqNum": "51372061", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", - "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "extendedAuditEventCategory": "ServicePrincipal", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", - "env_epoch": "FYE60", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" - }, - "Target": [ + "Actor": [ { - "Type": 2, - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad" + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 }, { - "Type": 2, - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad" + "ID": "1003200096971F55", + "Type": 3 }, { - "Type": 2, - "ID": "ServicePrincipal" + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "Type": 1, - "ID": "Office 365 Management APIs" + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 2, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2" + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 4, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" + "ID": "User", + "Type": 2 } ], - "RecordType": "8", + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-09T15:34:47", + "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "actorObjectClass": "User", + "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", + "auditEventCategory": "ApplicationManagement", + "correlationId": "d37460cd-3d19-4ae9-9515-015f27036e74", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", + "env_cloud_roleInstance": "AM5RRDSR568", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", + "env_cv": "##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555", + "env_epoch": "FYE60", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", + "env_popSample": "0", + "env_seqNum": "51372061", + "env_time": "2020-02-09T15:34:47.4999796Z", + "env_ver": "2.1", + "extendedAuditEventCategory": "ServicePrincipal", + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "targetName": "Office 365 Management APIs", + "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "teamName": "MSODS.", + "version": "2" + }, "ModifiedProperties": { - "ServicePrincipal_Name": { - "OldValue": "", - "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585" - }, - "TargetId_ServicePrincipalNames": { - "OldValue": "", - "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" + "ServicePrincipal_AppId": { + "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "OldValue": "" }, "ServicePrincipal_DisplayName": { - "OldValue": "", - "NewValue": "siem" + "NewValue": "siem", + "OldValue": "" }, - "ServicePrincipal_AppId": { - "OldValue": "", - "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585" + "ServicePrincipal_Name": { + "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "OldValue": "" }, "ServicePrincipal_ObjectID": { - "OldValue": "", - "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23" + "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "OldValue": "" + }, + "TargetId_ServicePrincipalNames": { + "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "OldValue": "" } }, - "Version": "1", + "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ + "Target": [ { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 3, - "ID": "1003200096971F55" + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "ServicePrincipal", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 } ], - "CreationTime": "2020-02-09T15:34:47", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-09T15:34:47.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:47:58.413589529Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:34:47\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"d37460cd-3d19-4ae9-9515-015f27036e74\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:47.4999796Z\"},{\"Name\":\"env_epoch\",\"Value\":\"FYE60\"},{\"Name\":\"env_seqNum\",\"Value\":\"51372061\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR568\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"02868191-019a-453a-a3a9-a21f44898778\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", - "id": "02868191-019a-453a-a3a9-a21f44898778", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-09T15:34:47.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Remove app role assignment from service principal.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "115f72b6-e8e6-4710-98e9-63ccd20bf2ec", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:34:47\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"d37460cd-3d19-4ae9-9515-015f27036e74\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:47.4999796Z\"},{\"Name\":\"env_epoch\",\"Value\":\"FYE60\"},{\"Name\":\"env_seqNum\",\"Value\":\"51372052\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR568\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"115f72b6-e8e6-4710-98e9-63ccd20bf2ec\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Remove app role assignment from service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-09T15:34:47", "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "Office 365 Management APIs", - "env_appId": "restdirectoryservice", - "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-09T15:34:47.4999796Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", + "auditEventCategory": "ApplicationManagement", "correlationId": "d37460cd-3d19-4ae9-9515-015f27036e74", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", "env_cloud_roleInstance": "AM5RRDSR568", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", "env_cv": "##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555", - "resultType": "Success", - "auditEventCategory": "ApplicationManagement", - "actorUPN": "asr@testsiem.onmicrosoft.com", + "env_epoch": "FYE60", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", "env_popSample": "0", "env_seqNum": "51372052", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", + "env_time": "2020-02-09T15:34:47.4999796Z", "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", "extendedAuditEventCategory": "ServicePrincipal", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", - "env_epoch": "FYE60", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "targetName": "Office 365 Management APIs", + "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "teamName": "MSODS.", + "version": "2" }, - "Target": [ - { - "Type": 2, - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad" - }, - { - "Type": 2, - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad" - }, - { - "Type": 2, - "ID": "ServicePrincipal" - }, - { - "Type": 1, - "ID": "Office 365 Management APIs" - }, - { - "Type": 2, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2" - }, - { - "Type": 4, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" - } - ], - "RecordType": "8", "ModifiedProperties": { - "ServicePrincipal_Name": { - "OldValue": "", - "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585" - }, - "TargetId_ServicePrincipalNames": { - "OldValue": "", - "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" + "ServicePrincipal_AppId": { + "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "OldValue": "" }, "ServicePrincipal_DisplayName": { - "OldValue": "", - "NewValue": "siem" + "NewValue": "siem", + "OldValue": "" }, - "ServicePrincipal_AppId": { - "OldValue": "", - "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585" + "ServicePrincipal_Name": { + "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "OldValue": "" }, "ServicePrincipal_ObjectID": { - "OldValue": "", - "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23" + "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "OldValue": "" + }, + "TargetId_ServicePrincipalNames": { + "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "OldValue": "" } }, - "Version": "1", + "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ + "Target": [ { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 3, - "ID": "1003200096971F55" + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "ServicePrincipal", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 } ], - "CreationTime": "2020-02-09T15:34:47", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-09T15:34:47.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:47:58.413590541Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:34:47\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"d37460cd-3d19-4ae9-9515-015f27036e74\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:47.4999796Z\"},{\"Name\":\"env_epoch\",\"Value\":\"FYE60\"},{\"Name\":\"env_seqNum\",\"Value\":\"51372052\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##bbd4acc6-20b3-4cd0-8b7a-219510222555_00000000-0000-0000-0000-000000000000_bbd4acc6-20b3-4cd0-8b7a-219510222555\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR568\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"115f72b6-e8e6-4710-98e9-63ccd20bf2ec\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Remove app role assignment from service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Remove app role assignment from service principal.", - "id": "115f72b6-e8e6-4710-98e9-63ccd20bf2ec", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-09T15:34:52.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Update application.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "fe115c66-3e08-4ab4-8a00-84ae25a59078", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:34:52\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"08d8bb01-c269-4a92-9929-a1a89b729512\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"5345f95e-44e0-48fc-823c-8206ff821338\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:52.5873254Z\"},{\"Name\":\"env_epoch\",\"Value\":\"FQXLK\"},{\"Name\":\"env_seqNum\",\"Value\":\"42492828\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##957dae7d-5f0a-4e82-a428-61c0dba2878b_00000000-0000-0000-0000-000000000000_957dae7d-5f0a-4e82-a428-61c0dba2878b\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR565\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"fe115c66-3e08-4ab4-8a00-84ae25a59078\",\"ModifiedProperties\":[{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "Not Available", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-09T15:34:52", "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "siem", - "env_appId": "restdirectoryservice", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-09T15:34:52.5873254Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "08d8bb01-c269-4a92-9929-a1a89b729512", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "auditEventCategory": "ApplicationManagement", "correlationId": "5345f95e-44e0-48fc-823c-8206ff821338", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", "env_cloud_roleInstance": "AM5RRDSR565", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", "env_cv": "##957dae7d-5f0a-4e82-a428-61c0dba2878b_00000000-0000-0000-0000-000000000000_957dae7d-5f0a-4e82-a428-61c0dba2878b", - "resultType": "Success", - "actorUPN": "asr@testsiem.onmicrosoft.com", - "auditEventCategory": "ApplicationManagement", + "env_epoch": "FQXLK", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", "env_popSample": "0", "env_seqNum": "42492828", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", + "env_time": "2020-02-09T15:34:52.5873254Z", "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"RequiredResourceAccess\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", "extendedAuditEventCategory": "Application", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "env_epoch": "FQXLK", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"RequiredResourceAccess\"]", + "targetName": "siem", + "targetObjectId": "08d8bb01-c269-4a92-9929-a1a89b729512", + "teamName": "MSODS.", + "version": "2" }, - "Target": [ - { - "Type": 2, - "ID": "Application_08d8bb01-c269-4a92-9929-a1a89b729512" - }, - { - "Type": 2, - "ID": "08d8bb01-c269-4a92-9929-a1a89b729512" - }, - { - "Type": 2, - "ID": "Application" - }, - { - "Type": 1, - "ID": "siem" - } - ], - "RecordType": "8", "ModifiedProperties": { "Included_Updated_Properties": { - "OldValue": "", - "NewValue": "RequiredResourceAccess" + "NewValue": "RequiredResourceAccess", + "OldValue": "" }, "RequiredResourceAccess": { - "OldValue": "[\r\n {\r\n \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n },\r\n {\r\n \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"4807a72c-ad38-4250-94c9-4eabfe26cd55\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n },\r\n {\r\n \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]", - "NewValue": "[\r\n {\r\n \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n },\r\n {\r\n \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]" + "NewValue": "[\r\n {\r\n \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n },\r\n {\r\n \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]", + "OldValue": "[\r\n {\r\n \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n },\r\n {\r\n \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"4807a72c-ad38-4250-94c9-4eabfe26cd55\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n },\r\n {\r\n \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]" } }, - "Version": "1", + "ObjectId": "Not Available", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ - { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" - }, - { - "Type": 3, - "ID": "1003200096971F55" - }, + "Target": [ { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "Application_08d8bb01-c269-4a92-9929-a1a89b729512", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "08d8bb01-c269-4a92-9929-a1a89b729512", + "Type": 2 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "Application", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "siem", + "Type": 1 } ], - "CreationTime": "2020-02-09T15:34:52", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-09T15:34:52.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:47:58.413591544Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:34:52\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"08d8bb01-c269-4a92-9929-a1a89b729512\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"5345f95e-44e0-48fc-823c-8206ff821338\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:52.5873254Z\"},{\"Name\":\"env_epoch\",\"Value\":\"FQXLK\"},{\"Name\":\"env_seqNum\",\"Value\":\"42492828\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##957dae7d-5f0a-4e82-a428-61c0dba2878b_00000000-0000-0000-0000-000000000000_957dae7d-5f0a-4e82-a428-61c0dba2878b\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR565\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"fe115c66-3e08-4ab4-8a00-84ae25a59078\",\"ModifiedProperties\":[{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Update application.", - "id": "fe115c66-3e08-4ab4-8a00-84ae25a59078", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "Not Available" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-09T15:34:52.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Update application.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "fe115c66-3e08-4ab4-8a00-84ae25a59078", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:34:52\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"08d8bb01-c269-4a92-9929-a1a89b729512\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"5345f95e-44e0-48fc-823c-8206ff821338\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:52.5873254Z\"},{\"Name\":\"env_epoch\",\"Value\":\"FQXLK\"},{\"Name\":\"env_seqNum\",\"Value\":\"42492828\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##957dae7d-5f0a-4e82-a428-61c0dba2878b_00000000-0000-0000-0000-000000000000_957dae7d-5f0a-4e82-a428-61c0dba2878b\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR565\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"fe115c66-3e08-4ab4-8a00-84ae25a59078\",\"ModifiedProperties\":[{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "Not Available", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-09T15:34:52", "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "siem", - "env_appId": "restdirectoryservice", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-09T15:34:52.5873254Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "08d8bb01-c269-4a92-9929-a1a89b729512", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "auditEventCategory": "ApplicationManagement", "correlationId": "5345f95e-44e0-48fc-823c-8206ff821338", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", "env_cloud_roleInstance": "AM5RRDSR565", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", "env_cv": "##957dae7d-5f0a-4e82-a428-61c0dba2878b_00000000-0000-0000-0000-000000000000_957dae7d-5f0a-4e82-a428-61c0dba2878b", - "resultType": "Success", - "actorUPN": "asr@testsiem.onmicrosoft.com", - "auditEventCategory": "ApplicationManagement", + "env_epoch": "FQXLK", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", "env_popSample": "0", "env_seqNum": "42492828", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", + "env_time": "2020-02-09T15:34:52.5873254Z", "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"RequiredResourceAccess\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", "extendedAuditEventCategory": "Application", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "env_epoch": "FQXLK", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"RequiredResourceAccess\"]", + "targetName": "siem", + "targetObjectId": "08d8bb01-c269-4a92-9929-a1a89b729512", + "teamName": "MSODS.", + "version": "2" }, - "Target": [ - { - "Type": 2, - "ID": "Application_08d8bb01-c269-4a92-9929-a1a89b729512" - }, - { - "Type": 2, - "ID": "08d8bb01-c269-4a92-9929-a1a89b729512" - }, - { - "Type": 2, - "ID": "Application" - }, - { - "Type": 1, - "ID": "siem" - } - ], - "RecordType": "8", "ModifiedProperties": { "Included_Updated_Properties": { - "OldValue": "", - "NewValue": "RequiredResourceAccess" + "NewValue": "RequiredResourceAccess", + "OldValue": "" }, "RequiredResourceAccess": { - "OldValue": "[\r\n {\r\n \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n },\r\n {\r\n \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"4807a72c-ad38-4250-94c9-4eabfe26cd55\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n },\r\n {\r\n \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]", - "NewValue": "[\r\n {\r\n \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n },\r\n {\r\n \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]" + "NewValue": "[\r\n {\r\n \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n },\r\n {\r\n \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]", + "OldValue": "[\r\n {\r\n \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n },\r\n {\r\n \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"4807a72c-ad38-4250-94c9-4eabfe26cd55\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n },\r\n {\r\n \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]" } }, - "Version": "1", + "ObjectId": "Not Available", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ - { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" - }, - { - "Type": 3, - "ID": "1003200096971F55" - }, + "Target": [ { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "Application_08d8bb01-c269-4a92-9929-a1a89b729512", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "08d8bb01-c269-4a92-9929-a1a89b729512", + "Type": 2 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "Application", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "siem", + "Type": 1 } ], - "CreationTime": "2020-02-09T15:34:52", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-09T15:34:52.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:47:58.413592444Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:34:52\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"08d8bb01-c269-4a92-9929-a1a89b729512\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"5345f95e-44e0-48fc-823c-8206ff821338\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:52.5873254Z\"},{\"Name\":\"env_epoch\",\"Value\":\"FQXLK\"},{\"Name\":\"env_seqNum\",\"Value\":\"42492828\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##957dae7d-5f0a-4e82-a428-61c0dba2878b_00000000-0000-0000-0000-000000000000_957dae7d-5f0a-4e82-a428-61c0dba2878b\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR565\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"fe115c66-3e08-4ab4-8a00-84ae25a59078\",\"ModifiedProperties\":[{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Update application.", - "id": "fe115c66-3e08-4ab4-8a00-84ae25a59078", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "Not Available" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-09T15:34:52.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Update service principal.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "76f9b173-c35c-4dbb-b5f7-64750ae994ce", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:34:52\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"5345f95e-44e0-48fc-823c-8206ff821338\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:52.6473040Z\"},{\"Name\":\"env_epoch\",\"Value\":\"FQXLK\"},{\"Name\":\"env_seqNum\",\"Value\":\"42492835\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##957dae7d-5f0a-4e82-a428-61c0dba2878b_00000000-0000-0000-0000-000000000000_957dae7d-5f0a-4e82-a428-61c0dba2878b\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR565\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"76f9b173-c35c-4dbb-b5f7-64750ae994ce\",\"ModifiedProperties\":[{\"Name\":\"Included Updated Properties\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"}],\"ObjectId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Operation\":\"Update service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":2},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "71a0194b-b70c-44a6-82f2-d4670aee4585", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-09T15:34:52", "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "siem", - "env_appId": "restdirectoryservice", - "targetSPN": "71a0194b-b70c-44a6-82f2-d4670aee4585", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-09T15:34:52.6473040Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "5c242833-909c-4c6b-bca3-50feaaa98d23", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "auditEventCategory": "ApplicationManagement", "correlationId": "5345f95e-44e0-48fc-823c-8206ff821338", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", "env_cloud_roleInstance": "AM5RRDSR565", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", "env_cv": "##957dae7d-5f0a-4e82-a428-61c0dba2878b_00000000-0000-0000-0000-000000000000_957dae7d-5f0a-4e82-a428-61c0dba2878b", - "resultType": "Success", - "auditEventCategory": "ApplicationManagement", - "actorUPN": "asr@testsiem.onmicrosoft.com", + "env_epoch": "FQXLK", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", "env_popSample": "0", "env_seqNum": "42492835", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", + "env_time": "2020-02-09T15:34:52.6473040Z", "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"TargetId.ServicePrincipalNames\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", "extendedAuditEventCategory": "ServicePrincipal", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "env_epoch": "FQXLK", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"TargetId.ServicePrincipalNames\"]", + "targetName": "siem", + "targetObjectId": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "targetSPN": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "teamName": "MSODS.", + "version": "2" }, - "Target": [ - { - "Type": 2, - "ID": "ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23" - }, - { - "Type": 2, - "ID": "5c242833-909c-4c6b-bca3-50feaaa98d23" - }, - { - "Type": 2, - "ID": "ServicePrincipal" - }, - { - "Type": 1, - "ID": "siem" - }, - { - "Type": 2, - "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585" - }, - { - "Type": 4, - "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585" - } - ], - "RecordType": "8", "ModifiedProperties": { "Included_Updated_Properties": { - "OldValue": "", - "NewValue": "" + "NewValue": "", + "OldValue": "" }, "TargetId_ServicePrincipalNames": { - "OldValue": "", - "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585" + "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "OldValue": "" } }, - "Version": "1", + "ObjectId": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ + "Target": [ { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" + "ID": "ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23", + "Type": 2 }, { - "Type": 3, - "ID": "1003200096971F55" + "ID": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "Type": 2 }, { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "ServicePrincipal", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "siem", + "Type": 1 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "Type": 4 } ], - "CreationTime": "2020-02-09T15:34:52", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-09T15:34:52.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:47:58.413593387Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:34:52\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"5345f95e-44e0-48fc-823c-8206ff821338\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T15:34:52.6473040Z\"},{\"Name\":\"env_epoch\",\"Value\":\"FQXLK\"},{\"Name\":\"env_seqNum\",\"Value\":\"42492835\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##957dae7d-5f0a-4e82-a428-61c0dba2878b_00000000-0000-0000-0000-000000000000_957dae7d-5f0a-4e82-a428-61c0dba2878b\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR565\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"76f9b173-c35c-4dbb-b5f7-64750ae994ce\",\"ModifiedProperties\":[{\"Name\":\"Included Updated Properties\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"}],\"ObjectId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Operation\":\"Update service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":2},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Update service principal.", - "id": "76f9b173-c35c-4dbb-b5f7-64750ae994ce", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "71a0194b-b70c-44a6-82f2-d4670aee4585" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-09T18:25:54.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Update application.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "d6ad8dba-dd88-499e-a1e1-e649bf8eeb71", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T18:25:54\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"08d8bb01-c269-4a92-9929-a1a89b729512\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"51e48c97-80b1-42bb-b732-8b578dfac528\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:25:54.7174137Z\"},{\"Name\":\"env_epoch\",\"Value\":\"73AB6\"},{\"Name\":\"env_seqNum\",\"Value\":\"43793182\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##a3a48e48-9c2c-4655-9862-13069eb7726c_00000000-0000-0000-0000-000000000000_a3a48e48-9c2c-4655-9862-13069eb7726c\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR575\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"d6ad8dba-dd88-499e-a1e1-e649bf8eeb71\",\"ModifiedProperties\":[{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"594c1fb6-4f81-4475-ae41-0c394909246c\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "Not Available", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-09T18:25:54", "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "siem", - "env_appId": "restdirectoryservice", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-09T18:25:54.7174137Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "08d8bb01-c269-4a92-9929-a1a89b729512", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "auditEventCategory": "ApplicationManagement", "correlationId": "51e48c97-80b1-42bb-b732-8b578dfac528", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", "env_cloud_roleInstance": "AM5RRDSR575", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", "env_cv": "##a3a48e48-9c2c-4655-9862-13069eb7726c_00000000-0000-0000-0000-000000000000_a3a48e48-9c2c-4655-9862-13069eb7726c", - "resultType": "Success", - "actorUPN": "asr@testsiem.onmicrosoft.com", - "auditEventCategory": "ApplicationManagement", + "env_epoch": "73AB6", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", "env_popSample": "0", "env_seqNum": "43793182", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", + "env_time": "2020-02-09T18:25:54.7174137Z", "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"RequiredResourceAccess\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", "extendedAuditEventCategory": "Application", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "env_epoch": "73AB6", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"RequiredResourceAccess\"]", + "targetName": "siem", + "targetObjectId": "08d8bb01-c269-4a92-9929-a1a89b729512", + "teamName": "MSODS.", + "version": "2" }, - "Target": [ - { - "Type": 2, - "ID": "Application_08d8bb01-c269-4a92-9929-a1a89b729512" - }, - { - "Type": 2, - "ID": "08d8bb01-c269-4a92-9929-a1a89b729512" - }, - { - "Type": 2, - "ID": "Application" - }, - { - "Type": 1, - "ID": "siem" - } - ], - "RecordType": "8", "ModifiedProperties": { "Included_Updated_Properties": { - "OldValue": "", - "NewValue": "RequiredResourceAccess" + "NewValue": "RequiredResourceAccess", + "OldValue": "" }, "RequiredResourceAccess": { - "OldValue": "[\r\n {\r\n \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n },\r\n {\r\n \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]", - "NewValue": "[\r\n {\r\n \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n },\r\n {\r\n \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"594c1fb6-4f81-4475-ae41-0c394909246c\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n },\r\n {\r\n \"EntitlementId\": \"4807a72c-ad38-4250-94c9-4eabfe26cd55\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n },\r\n {\r\n \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]" + "NewValue": "[\r\n {\r\n \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n },\r\n {\r\n \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"594c1fb6-4f81-4475-ae41-0c394909246c\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n },\r\n {\r\n \"EntitlementId\": \"4807a72c-ad38-4250-94c9-4eabfe26cd55\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n },\r\n {\r\n \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]", + "OldValue": "[\r\n {\r\n \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n },\r\n {\r\n \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]" } }, - "Version": "1", + "ObjectId": "Not Available", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ - { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" - }, - { - "Type": 3, - "ID": "1003200096971F55" - }, + "Target": [ { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "Application_08d8bb01-c269-4a92-9929-a1a89b729512", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "08d8bb01-c269-4a92-9929-a1a89b729512", + "Type": 2 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "Application", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "siem", + "Type": 1 } ], - "CreationTime": "2020-02-09T18:25:54", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-09T18:25:54.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:47:58.413594353Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T18:25:54\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"08d8bb01-c269-4a92-9929-a1a89b729512\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"51e48c97-80b1-42bb-b732-8b578dfac528\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:25:54.7174137Z\"},{\"Name\":\"env_epoch\",\"Value\":\"73AB6\"},{\"Name\":\"env_seqNum\",\"Value\":\"43793182\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##a3a48e48-9c2c-4655-9862-13069eb7726c_00000000-0000-0000-0000-000000000000_a3a48e48-9c2c-4655-9862-13069eb7726c\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR575\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"d6ad8dba-dd88-499e-a1e1-e649bf8eeb71\",\"ModifiedProperties\":[{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"594c1fb6-4f81-4475-ae41-0c394909246c\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Update application.", - "id": "d6ad8dba-dd88-499e-a1e1-e649bf8eeb71", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "Not Available" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-09T18:25:54.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Update application.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "d6ad8dba-dd88-499e-a1e1-e649bf8eeb71", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T18:25:54\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"08d8bb01-c269-4a92-9929-a1a89b729512\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"51e48c97-80b1-42bb-b732-8b578dfac528\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:25:54.7174137Z\"},{\"Name\":\"env_epoch\",\"Value\":\"73AB6\"},{\"Name\":\"env_seqNum\",\"Value\":\"43793182\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##a3a48e48-9c2c-4655-9862-13069eb7726c_00000000-0000-0000-0000-000000000000_a3a48e48-9c2c-4655-9862-13069eb7726c\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR575\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"d6ad8dba-dd88-499e-a1e1-e649bf8eeb71\",\"ModifiedProperties\":[{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"594c1fb6-4f81-4475-ae41-0c394909246c\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "Not Available", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-09T18:25:54", "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "siem", - "env_appId": "restdirectoryservice", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-09T18:25:54.7174137Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "08d8bb01-c269-4a92-9929-a1a89b729512", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "auditEventCategory": "ApplicationManagement", "correlationId": "51e48c97-80b1-42bb-b732-8b578dfac528", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", "env_cloud_roleInstance": "AM5RRDSR575", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", "env_cv": "##a3a48e48-9c2c-4655-9862-13069eb7726c_00000000-0000-0000-0000-000000000000_a3a48e48-9c2c-4655-9862-13069eb7726c", - "resultType": "Success", - "actorUPN": "asr@testsiem.onmicrosoft.com", - "auditEventCategory": "ApplicationManagement", + "env_epoch": "73AB6", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", "env_popSample": "0", "env_seqNum": "43793182", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", + "env_time": "2020-02-09T18:25:54.7174137Z", "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"RequiredResourceAccess\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", "extendedAuditEventCategory": "Application", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "env_epoch": "73AB6", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"RequiredResourceAccess\"]", + "targetName": "siem", + "targetObjectId": "08d8bb01-c269-4a92-9929-a1a89b729512", + "teamName": "MSODS.", + "version": "2" }, - "Target": [ - { - "Type": 2, - "ID": "Application_08d8bb01-c269-4a92-9929-a1a89b729512" - }, - { - "Type": 2, - "ID": "08d8bb01-c269-4a92-9929-a1a89b729512" - }, - { - "Type": 2, - "ID": "Application" - }, - { - "Type": 1, - "ID": "siem" - } - ], - "RecordType": "8", "ModifiedProperties": { "Included_Updated_Properties": { - "OldValue": "", - "NewValue": "RequiredResourceAccess" + "NewValue": "RequiredResourceAccess", + "OldValue": "" }, "RequiredResourceAccess": { - "OldValue": "[\r\n {\r\n \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n },\r\n {\r\n \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]", - "NewValue": "[\r\n {\r\n \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n },\r\n {\r\n \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"594c1fb6-4f81-4475-ae41-0c394909246c\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n },\r\n {\r\n \"EntitlementId\": \"4807a72c-ad38-4250-94c9-4eabfe26cd55\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n },\r\n {\r\n \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]" + "NewValue": "[\r\n {\r\n \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n },\r\n {\r\n \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"594c1fb6-4f81-4475-ae41-0c394909246c\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n },\r\n {\r\n \"EntitlementId\": \"4807a72c-ad38-4250-94c9-4eabfe26cd55\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n },\r\n {\r\n \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]", + "OldValue": "[\r\n {\r\n \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n },\r\n {\r\n \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]" } }, - "Version": "1", + "ObjectId": "Not Available", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ - { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" - }, - { - "Type": 3, - "ID": "1003200096971F55" - }, + "Target": [ { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "Application_08d8bb01-c269-4a92-9929-a1a89b729512", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "08d8bb01-c269-4a92-9929-a1a89b729512", + "Type": 2 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "Application", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "siem", + "Type": 1 } ], - "CreationTime": "2020-02-09T18:25:54", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-09T18:25:54.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:47:58.413595264Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T18:25:54\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"08d8bb01-c269-4a92-9929-a1a89b729512\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"51e48c97-80b1-42bb-b732-8b578dfac528\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:25:54.7174137Z\"},{\"Name\":\"env_epoch\",\"Value\":\"73AB6\"},{\"Name\":\"env_seqNum\",\"Value\":\"43793182\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##a3a48e48-9c2c-4655-9862-13069eb7726c_00000000-0000-0000-0000-000000000000_a3a48e48-9c2c-4655-9862-13069eb7726c\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR575\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"d6ad8dba-dd88-499e-a1e1-e649bf8eeb71\",\"ModifiedProperties\":[{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"594c1fb6-4f81-4475-ae41-0c394909246c\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Update application.", - "id": "d6ad8dba-dd88-499e-a1e1-e649bf8eeb71", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "Not Available" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-09T18:25:54.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Update application.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "d6ad8dba-dd88-499e-a1e1-e649bf8eeb71", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T18:25:54\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"08d8bb01-c269-4a92-9929-a1a89b729512\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"51e48c97-80b1-42bb-b732-8b578dfac528\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:25:54.7174137Z\"},{\"Name\":\"env_epoch\",\"Value\":\"73AB6\"},{\"Name\":\"env_seqNum\",\"Value\":\"43793182\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##a3a48e48-9c2c-4655-9862-13069eb7726c_00000000-0000-0000-0000-000000000000_a3a48e48-9c2c-4655-9862-13069eb7726c\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR575\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"d6ad8dba-dd88-499e-a1e1-e649bf8eeb71\",\"ModifiedProperties\":[{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"594c1fb6-4f81-4475-ae41-0c394909246c\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "Not Available", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-09T18:25:54", "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "siem", - "env_appId": "restdirectoryservice", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-09T18:25:54.7174137Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "08d8bb01-c269-4a92-9929-a1a89b729512", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "auditEventCategory": "ApplicationManagement", "correlationId": "51e48c97-80b1-42bb-b732-8b578dfac528", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", "env_cloud_roleInstance": "AM5RRDSR575", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", "env_cv": "##a3a48e48-9c2c-4655-9862-13069eb7726c_00000000-0000-0000-0000-000000000000_a3a48e48-9c2c-4655-9862-13069eb7726c", - "resultType": "Success", - "actorUPN": "asr@testsiem.onmicrosoft.com", - "auditEventCategory": "ApplicationManagement", + "env_epoch": "73AB6", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", "env_popSample": "0", "env_seqNum": "43793182", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", + "env_time": "2020-02-09T18:25:54.7174137Z", "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"RequiredResourceAccess\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", "extendedAuditEventCategory": "Application", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "env_epoch": "73AB6", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"RequiredResourceAccess\"]", + "targetName": "siem", + "targetObjectId": "08d8bb01-c269-4a92-9929-a1a89b729512", + "teamName": "MSODS.", + "version": "2" }, - "Target": [ - { - "Type": 2, - "ID": "Application_08d8bb01-c269-4a92-9929-a1a89b729512" - }, - { - "Type": 2, - "ID": "08d8bb01-c269-4a92-9929-a1a89b729512" - }, - { - "Type": 2, - "ID": "Application" - }, - { - "Type": 1, - "ID": "siem" - } - ], - "RecordType": "8", "ModifiedProperties": { "Included_Updated_Properties": { - "OldValue": "", - "NewValue": "RequiredResourceAccess" + "NewValue": "RequiredResourceAccess", + "OldValue": "" }, "RequiredResourceAccess": { - "OldValue": "[\r\n {\r\n \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n },\r\n {\r\n \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]", - "NewValue": "[\r\n {\r\n \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n },\r\n {\r\n \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"594c1fb6-4f81-4475-ae41-0c394909246c\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n },\r\n {\r\n \"EntitlementId\": \"4807a72c-ad38-4250-94c9-4eabfe26cd55\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n },\r\n {\r\n \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]" + "NewValue": "[\r\n {\r\n \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n },\r\n {\r\n \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"594c1fb6-4f81-4475-ae41-0c394909246c\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n },\r\n {\r\n \"EntitlementId\": \"4807a72c-ad38-4250-94c9-4eabfe26cd55\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n },\r\n {\r\n \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]", + "OldValue": "[\r\n {\r\n \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n },\r\n {\r\n \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]" } }, - "Version": "1", + "ObjectId": "Not Available", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ - { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" - }, - { - "Type": 3, - "ID": "1003200096971F55" - }, + "Target": [ { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "Application_08d8bb01-c269-4a92-9929-a1a89b729512", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "08d8bb01-c269-4a92-9929-a1a89b729512", + "Type": 2 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "Application", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "siem", + "Type": 1 } ], - "CreationTime": "2020-02-09T18:25:54", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-09T18:25:54.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:47:58.413596331Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T18:25:54\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"08d8bb01-c269-4a92-9929-a1a89b729512\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"51e48c97-80b1-42bb-b732-8b578dfac528\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:25:54.7174137Z\"},{\"Name\":\"env_epoch\",\"Value\":\"73AB6\"},{\"Name\":\"env_seqNum\",\"Value\":\"43793182\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##a3a48e48-9c2c-4655-9862-13069eb7726c_00000000-0000-0000-0000-000000000000_a3a48e48-9c2c-4655-9862-13069eb7726c\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR575\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"d6ad8dba-dd88-499e-a1e1-e649bf8eeb71\",\"ModifiedProperties\":[{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"594c1fb6-4f81-4475-ae41-0c394909246c\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"08d8bb01-c269-4a92-9929-a1a89b729512\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Update application.", - "id": "d6ad8dba-dd88-499e-a1e1-e649bf8eeb71", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "Not Available" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-09T18:25:54.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Update service principal.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "606ae654-e71e-4a6b-a07c-85acd775667b", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T18:25:54\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"51e48c97-80b1-42bb-b732-8b578dfac528\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:25:54.7823970Z\"},{\"Name\":\"env_epoch\",\"Value\":\"73AB6\"},{\"Name\":\"env_seqNum\",\"Value\":\"43793206\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##a3a48e48-9c2c-4655-9862-13069eb7726c_00000000-0000-0000-0000-000000000000_a3a48e48-9c2c-4655-9862-13069eb7726c\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR575\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"606ae654-e71e-4a6b-a07c-85acd775667b\",\"ModifiedProperties\":[{\"Name\":\"Included Updated Properties\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"}],\"ObjectId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Operation\":\"Update service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":2},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "71a0194b-b70c-44a6-82f2-d4670aee4585", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "67.43.156.15", - "ExtendedProperties": { - "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "siem", - "env_appId": "restdirectoryservice", - "targetSPN": "71a0194b-b70c-44a6-82f2-d4670aee4585", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", - "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-09T18:25:54.7823970Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "5c242833-909c-4c6b-bca3-50feaaa98d23", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", - "correlationId": "51e48c97-80b1-42bb-b732-8b578dfac528", - "env_cloud_roleInstance": "AM5RRDSR575", - "env_cv": "##a3a48e48-9c2c-4655-9862-13069eb7726c_00000000-0000-0000-0000-000000000000_a3a48e48-9c2c-4655-9862-13069eb7726c", - "resultType": "Success", - "auditEventCategory": "ApplicationManagement", - "actorUPN": "asr@testsiem.onmicrosoft.com", - "env_popSample": "0", - "env_seqNum": "43793206", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", - "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"TargetId.ServicePrincipalNames\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "extendedAuditEventCategory": "ServicePrincipal", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "env_epoch": "73AB6", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" - }, - "Target": [ + "Actor": [ { - "Type": 2, - "ID": "ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23" + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 }, { - "Type": 2, - "ID": "5c242833-909c-4c6b-bca3-50feaaa98d23" + "ID": "1003200096971F55", + "Type": 3 }, { - "Type": 2, - "ID": "ServicePrincipal" + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "Type": 1, - "ID": "siem" + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 2, - "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585" + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 4, - "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585" + "ID": "User", + "Type": 2 } ], - "RecordType": "8", + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-09T18:25:54", + "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "actorObjectClass": "User", + "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "auditEventCategory": "ApplicationManagement", + "correlationId": "51e48c97-80b1-42bb-b732-8b578dfac528", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", + "env_cloud_roleInstance": "AM5RRDSR575", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", + "env_cv": "##a3a48e48-9c2c-4655-9862-13069eb7726c_00000000-0000-0000-0000-000000000000_a3a48e48-9c2c-4655-9862-13069eb7726c", + "env_epoch": "73AB6", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", + "env_popSample": "0", + "env_seqNum": "43793206", + "env_time": "2020-02-09T18:25:54.7823970Z", + "env_ver": "2.1", + "extendedAuditEventCategory": "ServicePrincipal", + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"TargetId.ServicePrincipalNames\"]", + "targetName": "siem", + "targetObjectId": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "targetSPN": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "teamName": "MSODS.", + "version": "2" + }, "ModifiedProperties": { "Included_Updated_Properties": { - "OldValue": "", - "NewValue": "" + "NewValue": "", + "OldValue": "" }, "TargetId_ServicePrincipalNames": { - "OldValue": "", - "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585" + "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "OldValue": "" } }, - "Version": "1", + "ObjectId": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ + "Target": [ { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" + "ID": "ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23", + "Type": 2 }, { - "Type": 3, - "ID": "1003200096971F55" + "ID": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "Type": 2 }, { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "ServicePrincipal", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "siem", + "Type": 1 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "Type": 4 } ], - "CreationTime": "2020-02-09T18:25:54", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-09T18:25:54.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:47:58.413597282Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T18:25:54\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"51e48c97-80b1-42bb-b732-8b578dfac528\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:25:54.7823970Z\"},{\"Name\":\"env_epoch\",\"Value\":\"73AB6\"},{\"Name\":\"env_seqNum\",\"Value\":\"43793206\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##a3a48e48-9c2c-4655-9862-13069eb7726c_00000000-0000-0000-0000-000000000000_a3a48e48-9c2c-4655-9862-13069eb7726c\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR575\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"606ae654-e71e-4a6b-a07c-85acd775667b\",\"ModifiedProperties\":[{\"Name\":\"Included Updated Properties\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"}],\"ObjectId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Operation\":\"Update service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":2},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Update service principal.", - "id": "606ae654-e71e-4a6b-a07c-85acd775667b", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "71a0194b-b70c-44a6-82f2-d4670aee4585" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-09T18:26:05.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Add app role assignment to service principal.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "14f7e7eb-0fd1-4f89-bda8-642d035f3541", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T18:26:05\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"206711cb-0722-49cc-a9ad-af7f34da9452\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:26:05.9242333Z\"},{\"Name\":\"env_epoch\",\"Value\":\"0871Y\"},{\"Name\":\"env_seqNum\",\"Value\":\"46795815\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR530\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"14f7e7eb-0fd1-4f89-bda8-642d035f3541\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "67.43.156.15", - "ExtendedProperties": { - "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "Office 365 Management APIs", - "env_appId": "restdirectoryservice", - "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", - "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-09T18:26:05.9242333Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", - "correlationId": "206711cb-0722-49cc-a9ad-af7f34da9452", - "env_cloud_roleInstance": "AM5RRDSR530", - "env_cv": "##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99", - "resultType": "Success", - "actorUPN": "asr@testsiem.onmicrosoft.com", - "auditEventCategory": "ApplicationManagement", - "env_popSample": "0", - "env_seqNum": "46795815", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", - "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "extendedAuditEventCategory": "ServicePrincipal", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", - "env_epoch": "0871Y", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" - }, - "Target": [ + "Actor": [ { - "Type": 2, - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad" + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 }, { - "Type": 2, - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad" + "ID": "1003200096971F55", + "Type": 3 }, { - "Type": 2, - "ID": "ServicePrincipal" + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "Type": 1, - "ID": "Office 365 Management APIs" + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 2, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2" + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 4, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" + "ID": "User", + "Type": 2 } ], - "RecordType": "8", + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-09T18:26:05", + "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "actorObjectClass": "User", + "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", + "auditEventCategory": "ApplicationManagement", + "correlationId": "206711cb-0722-49cc-a9ad-af7f34da9452", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", + "env_cloud_roleInstance": "AM5RRDSR530", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", + "env_cv": "##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99", + "env_epoch": "0871Y", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", + "env_popSample": "0", + "env_seqNum": "46795815", + "env_time": "2020-02-09T18:26:05.9242333Z", + "env_ver": "2.1", + "extendedAuditEventCategory": "ServicePrincipal", + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "targetName": "Office 365 Management APIs", + "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "teamName": "MSODS.", + "version": "2" + }, "ModifiedProperties": { - "ServicePrincipal_Name": { - "OldValue": "", - "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585" - }, - "TargetId_ServicePrincipalNames": { - "OldValue": "", - "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" + "ServicePrincipal_AppId": { + "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "OldValue": "" }, "ServicePrincipal_DisplayName": { - "OldValue": "", - "NewValue": "siem" + "NewValue": "siem", + "OldValue": "" }, - "ServicePrincipal_AppId": { - "OldValue": "", - "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585" + "ServicePrincipal_Name": { + "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "OldValue": "" }, "ServicePrincipal_ObjectID": { - "OldValue": "", - "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23" + "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "OldValue": "" + }, + "TargetId_ServicePrincipalNames": { + "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "OldValue": "" } }, - "Version": "1", + "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ + "Target": [ { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 3, - "ID": "1003200096971F55" + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "ServicePrincipal", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 } ], - "CreationTime": "2020-02-09T18:26:05", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-09T18:26:05.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:47:58.413598377Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T18:26:05\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"206711cb-0722-49cc-a9ad-af7f34da9452\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:26:05.9242333Z\"},{\"Name\":\"env_epoch\",\"Value\":\"0871Y\"},{\"Name\":\"env_seqNum\",\"Value\":\"46795815\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR530\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"14f7e7eb-0fd1-4f89-bda8-642d035f3541\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Add app role assignment to service principal.", - "id": "14f7e7eb-0fd1-4f89-bda8-642d035f3541", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-09T18:26:05.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Add app role assignment to service principal.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "41c7d7a7-ce53-4696-aa78-37c451a95fe1", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T18:26:05\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"206711cb-0722-49cc-a9ad-af7f34da9452\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:26:05.9992570Z\"},{\"Name\":\"env_epoch\",\"Value\":\"0871Y\"},{\"Name\":\"env_seqNum\",\"Value\":\"46795878\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR530\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"41c7d7a7-ce53-4696-aa78-37c451a95fe1\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-09T18:26:05", "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "Office 365 Management APIs", - "env_appId": "restdirectoryservice", - "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-09T18:26:05.9992570Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", + "auditEventCategory": "ApplicationManagement", "correlationId": "206711cb-0722-49cc-a9ad-af7f34da9452", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", "env_cloud_roleInstance": "AM5RRDSR530", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", "env_cv": "##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99", - "resultType": "Success", - "auditEventCategory": "ApplicationManagement", - "actorUPN": "asr@testsiem.onmicrosoft.com", + "env_epoch": "0871Y", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", "env_popSample": "0", "env_seqNum": "46795878", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", + "env_time": "2020-02-09T18:26:05.9992570Z", "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", "extendedAuditEventCategory": "ServicePrincipal", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", - "env_epoch": "0871Y", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "targetName": "Office 365 Management APIs", + "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "teamName": "MSODS.", + "version": "2" }, - "Target": [ - { - "Type": 2, - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad" - }, - { - "Type": 2, - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad" - }, - { - "Type": 2, - "ID": "ServicePrincipal" - }, - { - "Type": 1, - "ID": "Office 365 Management APIs" - }, - { - "Type": 2, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2" - }, - { - "Type": 4, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" - } - ], - "RecordType": "8", "ModifiedProperties": { - "ServicePrincipal_Name": { - "OldValue": "", - "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585" - }, - "TargetId_ServicePrincipalNames": { - "OldValue": "", - "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" + "ServicePrincipal_AppId": { + "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "OldValue": "" }, "ServicePrincipal_DisplayName": { - "OldValue": "", - "NewValue": "siem" + "NewValue": "siem", + "OldValue": "" }, - "ServicePrincipal_AppId": { - "OldValue": "", - "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585" + "ServicePrincipal_Name": { + "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "OldValue": "" }, "ServicePrincipal_ObjectID": { - "OldValue": "", - "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23" + "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "OldValue": "" + }, + "TargetId_ServicePrincipalNames": { + "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "OldValue": "" } }, - "Version": "1", + "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ + "Target": [ { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 3, - "ID": "1003200096971F55" + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "ServicePrincipal", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 } ], - "CreationTime": "2020-02-09T18:26:05", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-09T18:26:05.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:47:58.413599388Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T18:26:05\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"206711cb-0722-49cc-a9ad-af7f34da9452\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:26:05.9992570Z\"},{\"Name\":\"env_epoch\",\"Value\":\"0871Y\"},{\"Name\":\"env_seqNum\",\"Value\":\"46795878\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR530\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"41c7d7a7-ce53-4696-aa78-37c451a95fe1\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Add app role assignment to service principal.", - "id": "41c7d7a7-ce53-4696-aa78-37c451a95fe1", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-09T18:26:05.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Add app role assignment to service principal.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "14f7e7eb-0fd1-4f89-bda8-642d035f3541", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T18:26:05\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"206711cb-0722-49cc-a9ad-af7f34da9452\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:26:05.9242333Z\"},{\"Name\":\"env_epoch\",\"Value\":\"0871Y\"},{\"Name\":\"env_seqNum\",\"Value\":\"46795815\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR530\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"14f7e7eb-0fd1-4f89-bda8-642d035f3541\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "67.43.156.15", - "ExtendedProperties": { - "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "Office 365 Management APIs", - "env_appId": "restdirectoryservice", - "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", - "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-09T18:26:05.9242333Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", - "correlationId": "206711cb-0722-49cc-a9ad-af7f34da9452", - "env_cloud_roleInstance": "AM5RRDSR530", - "env_cv": "##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99", - "resultType": "Success", - "actorUPN": "asr@testsiem.onmicrosoft.com", - "auditEventCategory": "ApplicationManagement", - "env_popSample": "0", - "env_seqNum": "46795815", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", - "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "extendedAuditEventCategory": "ServicePrincipal", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", - "env_epoch": "0871Y", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" - }, - "Target": [ + "Actor": [ { - "Type": 2, - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad" + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 }, { - "Type": 2, - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad" + "ID": "1003200096971F55", + "Type": 3 }, { - "Type": 2, - "ID": "ServicePrincipal" + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "Type": 1, - "ID": "Office 365 Management APIs" + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 2, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2" + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 4, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" + "ID": "User", + "Type": 2 } ], - "RecordType": "8", + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-09T18:26:05", + "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "actorObjectClass": "User", + "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", + "auditEventCategory": "ApplicationManagement", + "correlationId": "206711cb-0722-49cc-a9ad-af7f34da9452", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", + "env_cloud_roleInstance": "AM5RRDSR530", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", + "env_cv": "##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99", + "env_epoch": "0871Y", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", + "env_popSample": "0", + "env_seqNum": "46795815", + "env_time": "2020-02-09T18:26:05.9242333Z", + "env_ver": "2.1", + "extendedAuditEventCategory": "ServicePrincipal", + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "targetName": "Office 365 Management APIs", + "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "teamName": "MSODS.", + "version": "2" + }, "ModifiedProperties": { - "ServicePrincipal_Name": { - "OldValue": "", - "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585" - }, - "TargetId_ServicePrincipalNames": { - "OldValue": "", - "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" + "ServicePrincipal_AppId": { + "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "OldValue": "" }, "ServicePrincipal_DisplayName": { - "OldValue": "", - "NewValue": "siem" + "NewValue": "siem", + "OldValue": "" }, - "ServicePrincipal_AppId": { - "OldValue": "", - "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585" + "ServicePrincipal_Name": { + "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "OldValue": "" }, "ServicePrincipal_ObjectID": { - "OldValue": "", - "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23" + "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "OldValue": "" + }, + "TargetId_ServicePrincipalNames": { + "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "OldValue": "" } }, - "Version": "1", + "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ + "Target": [ { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 3, - "ID": "1003200096971F55" + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "ServicePrincipal", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 } ], - "CreationTime": "2020-02-09T18:26:05", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-09T18:26:05.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:47:58.413600323Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T18:26:05\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"206711cb-0722-49cc-a9ad-af7f34da9452\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:26:05.9242333Z\"},{\"Name\":\"env_epoch\",\"Value\":\"0871Y\"},{\"Name\":\"env_seqNum\",\"Value\":\"46795815\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR530\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"14f7e7eb-0fd1-4f89-bda8-642d035f3541\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Add app role assignment to service principal.", - "id": "14f7e7eb-0fd1-4f89-bda8-642d035f3541", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-09T18:26:05.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Add app role assignment to service principal.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "41c7d7a7-ce53-4696-aa78-37c451a95fe1", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T18:26:05\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"206711cb-0722-49cc-a9ad-af7f34da9452\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:26:05.9992570Z\"},{\"Name\":\"env_epoch\",\"Value\":\"0871Y\"},{\"Name\":\"env_seqNum\",\"Value\":\"46795878\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR530\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"41c7d7a7-ce53-4696-aa78-37c451a95fe1\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "67.43.156.15", - "ExtendedProperties": { - "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "Office 365 Management APIs", - "env_appId": "restdirectoryservice", - "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", - "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-09T18:26:05.9992570Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", - "correlationId": "206711cb-0722-49cc-a9ad-af7f34da9452", - "env_cloud_roleInstance": "AM5RRDSR530", - "env_cv": "##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99", - "resultType": "Success", - "auditEventCategory": "ApplicationManagement", - "actorUPN": "asr@testsiem.onmicrosoft.com", - "env_popSample": "0", - "env_seqNum": "46795878", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", - "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "extendedAuditEventCategory": "ServicePrincipal", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", - "env_epoch": "0871Y", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" - }, - "Target": [ + "Actor": [ { - "Type": 2, - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad" + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 }, { - "Type": 2, - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad" + "ID": "1003200096971F55", + "Type": 3 }, { - "Type": 2, - "ID": "ServicePrincipal" + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "Type": 1, - "ID": "Office 365 Management APIs" + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 2, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2" + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 4, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" + "ID": "User", + "Type": 2 } ], - "RecordType": "8", + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-09T18:26:05", + "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "actorObjectClass": "User", + "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", + "auditEventCategory": "ApplicationManagement", + "correlationId": "206711cb-0722-49cc-a9ad-af7f34da9452", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", + "env_cloud_roleInstance": "AM5RRDSR530", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", + "env_cv": "##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99", + "env_epoch": "0871Y", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", + "env_popSample": "0", + "env_seqNum": "46795878", + "env_time": "2020-02-09T18:26:05.9992570Z", + "env_ver": "2.1", + "extendedAuditEventCategory": "ServicePrincipal", + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "targetName": "Office 365 Management APIs", + "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "teamName": "MSODS.", + "version": "2" + }, "ModifiedProperties": { - "ServicePrincipal_Name": { - "OldValue": "", - "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585" - }, - "TargetId_ServicePrincipalNames": { - "OldValue": "", - "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" + "ServicePrincipal_AppId": { + "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "OldValue": "" }, "ServicePrincipal_DisplayName": { - "OldValue": "", - "NewValue": "siem" + "NewValue": "siem", + "OldValue": "" }, - "ServicePrincipal_AppId": { - "OldValue": "", - "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585" + "ServicePrincipal_Name": { + "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "OldValue": "" }, "ServicePrincipal_ObjectID": { - "OldValue": "", - "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23" + "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "OldValue": "" + }, + "TargetId_ServicePrincipalNames": { + "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "OldValue": "" } }, - "Version": "1", + "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ + "Target": [ { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 3, - "ID": "1003200096971F55" + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "ServicePrincipal", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 } ], - "CreationTime": "2020-02-09T18:26:05", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-09T18:26:05.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:47:58.413601221Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T18:26:05\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"206711cb-0722-49cc-a9ad-af7f34da9452\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:26:05.9992570Z\"},{\"Name\":\"env_epoch\",\"Value\":\"0871Y\"},{\"Name\":\"env_seqNum\",\"Value\":\"46795878\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR530\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"41c7d7a7-ce53-4696-aa78-37c451a95fe1\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Add app role assignment to service principal.", - "id": "41c7d7a7-ce53-4696-aa78-37c451a95fe1", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-09T18:26:05.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Add app role assignment to service principal.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "14f7e7eb-0fd1-4f89-bda8-642d035f3541", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T18:26:05\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"206711cb-0722-49cc-a9ad-af7f34da9452\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:26:05.9242333Z\"},{\"Name\":\"env_epoch\",\"Value\":\"0871Y\"},{\"Name\":\"env_seqNum\",\"Value\":\"46795815\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR530\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"14f7e7eb-0fd1-4f89-bda8-642d035f3541\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "67.43.156.15", - "ExtendedProperties": { - "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "Office 365 Management APIs", - "env_appId": "restdirectoryservice", - "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", - "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-09T18:26:05.9242333Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", - "correlationId": "206711cb-0722-49cc-a9ad-af7f34da9452", - "env_cloud_roleInstance": "AM5RRDSR530", - "env_cv": "##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99", - "resultType": "Success", - "actorUPN": "asr@testsiem.onmicrosoft.com", - "auditEventCategory": "ApplicationManagement", - "env_popSample": "0", - "env_seqNum": "46795815", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", - "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "extendedAuditEventCategory": "ServicePrincipal", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", - "env_epoch": "0871Y", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" - }, - "Target": [ + "Actor": [ { - "Type": 2, - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad" + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 }, { - "Type": 2, - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad" + "ID": "1003200096971F55", + "Type": 3 }, { - "Type": 2, - "ID": "ServicePrincipal" + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "Type": 1, - "ID": "Office 365 Management APIs" + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 2, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2" + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 4, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" + "ID": "User", + "Type": 2 } ], - "RecordType": "8", + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-09T18:26:05", + "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "actorObjectClass": "User", + "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", + "auditEventCategory": "ApplicationManagement", + "correlationId": "206711cb-0722-49cc-a9ad-af7f34da9452", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", + "env_cloud_roleInstance": "AM5RRDSR530", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", + "env_cv": "##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99", + "env_epoch": "0871Y", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", + "env_popSample": "0", + "env_seqNum": "46795815", + "env_time": "2020-02-09T18:26:05.9242333Z", + "env_ver": "2.1", + "extendedAuditEventCategory": "ServicePrincipal", + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "targetName": "Office 365 Management APIs", + "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "teamName": "MSODS.", + "version": "2" + }, "ModifiedProperties": { - "ServicePrincipal_Name": { - "OldValue": "", - "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585" - }, - "TargetId_ServicePrincipalNames": { - "OldValue": "", - "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" + "ServicePrincipal_AppId": { + "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "OldValue": "" }, "ServicePrincipal_DisplayName": { - "OldValue": "", - "NewValue": "siem" + "NewValue": "siem", + "OldValue": "" }, - "ServicePrincipal_AppId": { - "OldValue": "", - "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585" + "ServicePrincipal_Name": { + "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "OldValue": "" }, "ServicePrincipal_ObjectID": { - "OldValue": "", - "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23" + "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "OldValue": "" + }, + "TargetId_ServicePrincipalNames": { + "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "OldValue": "" } }, - "Version": "1", + "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ + "Target": [ { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 3, - "ID": "1003200096971F55" + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "ServicePrincipal", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 } ], - "CreationTime": "2020-02-09T18:26:05", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-09T18:26:05.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:47:58.413602128Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T18:26:05\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"206711cb-0722-49cc-a9ad-af7f34da9452\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:26:05.9242333Z\"},{\"Name\":\"env_epoch\",\"Value\":\"0871Y\"},{\"Name\":\"env_seqNum\",\"Value\":\"46795815\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR530\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"14f7e7eb-0fd1-4f89-bda8-642d035f3541\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Add app role assignment to service principal.", - "id": "14f7e7eb-0fd1-4f89-bda8-642d035f3541", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-09T18:26:05.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Add app role assignment to service principal.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "41c7d7a7-ce53-4696-aa78-37c451a95fe1", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T18:26:05\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"206711cb-0722-49cc-a9ad-af7f34da9452\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:26:05.9992570Z\"},{\"Name\":\"env_epoch\",\"Value\":\"0871Y\"},{\"Name\":\"env_seqNum\",\"Value\":\"46795878\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR530\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"41c7d7a7-ce53-4696-aa78-37c451a95fe1\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-09T18:26:05", "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "Office 365 Management APIs", - "env_appId": "restdirectoryservice", - "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-09T18:26:05.9992570Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", + "auditEventCategory": "ApplicationManagement", "correlationId": "206711cb-0722-49cc-a9ad-af7f34da9452", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", "env_cloud_roleInstance": "AM5RRDSR530", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", "env_cv": "##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99", - "resultType": "Success", - "auditEventCategory": "ApplicationManagement", - "actorUPN": "asr@testsiem.onmicrosoft.com", + "env_epoch": "0871Y", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", "env_popSample": "0", "env_seqNum": "46795878", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", + "env_time": "2020-02-09T18:26:05.9992570Z", "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", "extendedAuditEventCategory": "ServicePrincipal", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", - "env_epoch": "0871Y", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "targetName": "Office 365 Management APIs", + "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "teamName": "MSODS.", + "version": "2" }, - "Target": [ - { - "Type": 2, - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad" - }, - { - "Type": 2, - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad" + "ModifiedProperties": { + "ServicePrincipal_AppId": { + "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "OldValue": "" }, - { - "Type": 2, - "ID": "ServicePrincipal" + "ServicePrincipal_DisplayName": { + "NewValue": "siem", + "OldValue": "" }, - { - "Type": 1, - "ID": "Office 365 Management APIs" + "ServicePrincipal_Name": { + "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "OldValue": "" }, - { - "Type": 2, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2" + "ServicePrincipal_ObjectID": { + "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "OldValue": "" }, - { - "Type": 4, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" - } - ], - "RecordType": "8", - "ModifiedProperties": { - "ServicePrincipal_Name": { - "OldValue": "", - "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585" - }, - "TargetId_ServicePrincipalNames": { - "OldValue": "", - "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" - }, - "ServicePrincipal_DisplayName": { - "OldValue": "", - "NewValue": "siem" - }, - "ServicePrincipal_AppId": { - "OldValue": "", - "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585" - }, - "ServicePrincipal_ObjectID": { - "OldValue": "", - "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23" + "TargetId_ServicePrincipalNames": { + "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "OldValue": "" } }, - "Version": "1", + "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ + "Target": [ { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 3, - "ID": "1003200096971F55" + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "ServicePrincipal", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 } ], - "CreationTime": "2020-02-09T18:26:05", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-09T18:26:05.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:47:58.413603080Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T18:26:05\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"206711cb-0722-49cc-a9ad-af7f34da9452\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:26:05.9992570Z\"},{\"Name\":\"env_epoch\",\"Value\":\"0871Y\"},{\"Name\":\"env_seqNum\",\"Value\":\"46795878\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR530\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"41c7d7a7-ce53-4696-aa78-37c451a95fe1\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Add app role assignment to service principal.", - "id": "41c7d7a7-ce53-4696-aa78-37c451a95fe1", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-09T18:26:05.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Add app role assignment to service principal.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "41c7d7a7-ce53-4696-aa78-37c451a95fe1", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T18:26:05\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"206711cb-0722-49cc-a9ad-af7f34da9452\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:26:05.9992570Z\"},{\"Name\":\"env_epoch\",\"Value\":\"0871Y\"},{\"Name\":\"env_seqNum\",\"Value\":\"46795878\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR530\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"41c7d7a7-ce53-4696-aa78-37c451a95fe1\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "67.43.156.15", - "ExtendedProperties": { - "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "Office 365 Management APIs", - "env_appId": "restdirectoryservice", - "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", - "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-09T18:26:05.9992570Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", - "correlationId": "206711cb-0722-49cc-a9ad-af7f34da9452", - "env_cloud_roleInstance": "AM5RRDSR530", - "env_cv": "##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99", - "resultType": "Success", - "auditEventCategory": "ApplicationManagement", - "actorUPN": "asr@testsiem.onmicrosoft.com", - "env_popSample": "0", - "env_seqNum": "46795878", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", - "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "extendedAuditEventCategory": "ServicePrincipal", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", - "env_epoch": "0871Y", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" - }, - "Target": [ + "Actor": [ { - "Type": 2, - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad" + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 }, { - "Type": 2, - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad" + "ID": "1003200096971F55", + "Type": 3 }, { - "Type": 2, - "ID": "ServicePrincipal" + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "Type": 1, - "ID": "Office 365 Management APIs" + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 2, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2" + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 4, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" + "ID": "User", + "Type": 2 } ], - "RecordType": "8", + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-09T18:26:05", + "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "actorObjectClass": "User", + "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", + "auditEventCategory": "ApplicationManagement", + "correlationId": "206711cb-0722-49cc-a9ad-af7f34da9452", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", + "env_cloud_roleInstance": "AM5RRDSR530", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", + "env_cv": "##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99", + "env_epoch": "0871Y", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", + "env_popSample": "0", + "env_seqNum": "46795878", + "env_time": "2020-02-09T18:26:05.9992570Z", + "env_ver": "2.1", + "extendedAuditEventCategory": "ServicePrincipal", + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "targetName": "Office 365 Management APIs", + "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "teamName": "MSODS.", + "version": "2" + }, "ModifiedProperties": { - "ServicePrincipal_Name": { - "OldValue": "", - "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585" - }, - "TargetId_ServicePrincipalNames": { - "OldValue": "", - "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" + "ServicePrincipal_AppId": { + "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "OldValue": "" }, "ServicePrincipal_DisplayName": { - "OldValue": "", - "NewValue": "siem" + "NewValue": "siem", + "OldValue": "" }, - "ServicePrincipal_AppId": { - "OldValue": "", - "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585" + "ServicePrincipal_Name": { + "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "OldValue": "" }, "ServicePrincipal_ObjectID": { - "OldValue": "", - "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23" + "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "OldValue": "" + }, + "TargetId_ServicePrincipalNames": { + "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "OldValue": "" } }, - "Version": "1", + "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ + "Target": [ { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 3, - "ID": "1003200096971F55" + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "ServicePrincipal", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 } ], - "CreationTime": "2020-02-09T18:26:05", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-09T18:26:05.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:47:58.413604085Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T18:26:05\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"206711cb-0722-49cc-a9ad-af7f34da9452\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:26:05.9992570Z\"},{\"Name\":\"env_epoch\",\"Value\":\"0871Y\"},{\"Name\":\"env_seqNum\",\"Value\":\"46795878\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR530\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"41c7d7a7-ce53-4696-aa78-37c451a95fe1\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Add app role assignment to service principal.", - "id": "41c7d7a7-ce53-4696-aa78-37c451a95fe1", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-09T18:26:05.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], - "network": { - "type": "ipv4" + "ecs": { + "version": "8.0.0" }, - "o365": { - "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "67.43.156.15", - "ExtendedProperties": { - "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "Office 365 Management APIs", - "env_appId": "restdirectoryservice", - "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", - "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-09T18:26:05.9242333Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", - "correlationId": "206711cb-0722-49cc-a9ad-af7f34da9452", - "env_cloud_roleInstance": "AM5RRDSR530", - "env_cv": "##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99", - "resultType": "Success", - "actorUPN": "asr@testsiem.onmicrosoft.com", - "auditEventCategory": "ApplicationManagement", - "env_popSample": "0", - "env_seqNum": "46795815", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", - "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "extendedAuditEventCategory": "ServicePrincipal", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", - "env_epoch": "0871Y", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" - }, - "Target": [ + "event": { + "action": "Add app role assignment to service principal.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "14f7e7eb-0fd1-4f89-bda8-642d035f3541", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T18:26:05\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"206711cb-0722-49cc-a9ad-af7f34da9452\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:26:05.9242333Z\"},{\"Name\":\"env_epoch\",\"Value\":\"0871Y\"},{\"Name\":\"env_seqNum\",\"Value\":\"46795815\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR530\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"14f7e7eb-0fd1-4f89-bda8-642d035f3541\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, + "network": { + "type": "ipv4" + }, + "o365": { + "audit": { + "Actor": [ { - "Type": 2, - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad" + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 }, { - "Type": 2, - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad" + "ID": "1003200096971F55", + "Type": 3 }, { - "Type": 2, - "ID": "ServicePrincipal" + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "Type": 1, - "ID": "Office 365 Management APIs" + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 2, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2" + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 4, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" + "ID": "User", + "Type": 2 } ], - "RecordType": "8", + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-09T18:26:05", + "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "actorObjectClass": "User", + "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", + "auditEventCategory": "ApplicationManagement", + "correlationId": "206711cb-0722-49cc-a9ad-af7f34da9452", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", + "env_cloud_roleInstance": "AM5RRDSR530", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", + "env_cv": "##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99", + "env_epoch": "0871Y", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", + "env_popSample": "0", + "env_seqNum": "46795815", + "env_time": "2020-02-09T18:26:05.9242333Z", + "env_ver": "2.1", + "extendedAuditEventCategory": "ServicePrincipal", + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "targetName": "Office 365 Management APIs", + "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "teamName": "MSODS.", + "version": "2" + }, "ModifiedProperties": { - "ServicePrincipal_Name": { - "OldValue": "", - "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585" - }, - "TargetId_ServicePrincipalNames": { - "OldValue": "", - "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" + "ServicePrincipal_AppId": { + "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "OldValue": "" }, "ServicePrincipal_DisplayName": { - "OldValue": "", - "NewValue": "siem" + "NewValue": "siem", + "OldValue": "" }, - "ServicePrincipal_AppId": { - "OldValue": "", - "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585" + "ServicePrincipal_Name": { + "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "OldValue": "" }, "ServicePrincipal_ObjectID": { - "OldValue": "", - "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23" + "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "OldValue": "" + }, + "TargetId_ServicePrincipalNames": { + "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "OldValue": "" } }, - "Version": "1", + "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ + "Target": [ { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 3, - "ID": "1003200096971F55" + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "ServicePrincipal", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 } ], - "CreationTime": "2020-02-09T18:26:05", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-09T18:26:05.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:47:58.413605143Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T18:26:05\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"206711cb-0722-49cc-a9ad-af7f34da9452\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:26:05.9242333Z\"},{\"Name\":\"env_epoch\",\"Value\":\"0871Y\"},{\"Name\":\"env_seqNum\",\"Value\":\"46795815\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR530\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"14f7e7eb-0fd1-4f89-bda8-642d035f3541\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Add app role assignment to service principal.", - "id": "14f7e7eb-0fd1-4f89-bda8-642d035f3541", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-09T18:26:06.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Consent to application.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "821dc03c-4e38-4cd1-82b2-3155b41b4418", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T18:26:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ConsentContext.IsAdminConsent\\\",\\\"ConsentContext.IsAppOnly\\\",\\\"ConsentContext.OnBehalfOfAll\\\",\\\"ConsentContext.Tags\\\",\\\"ConsentAction.Permissions\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"206711cb-0722-49cc-a9ad-af7f34da9452\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:26:06.0142481Z\"},{\"Name\":\"env_epoch\",\"Value\":\"0871Y\"},{\"Name\":\"env_seqNum\",\"Value\":\"46795893\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR530\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"821dc03c-4e38-4cd1-82b2-3155b41b4418\",\"ModifiedProperties\":[{\"Name\":\"ConsentContext.IsAdminConsent\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.IsAppOnly\",\"NewValue\":\"False\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.OnBehalfOfAll\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.Tags\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ConsentAction.Permissions\",\"NewValue\":\"[[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]] =\\u003e [[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; \",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"}],\"ObjectId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Operation\":\"Consent to application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":2},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "71a0194b-b70c-44a6-82f2-d4670aee4585", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "67.43.156.15", - "ExtendedProperties": { - "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "siem", - "env_appId": "restdirectoryservice", - "targetSPN": "71a0194b-b70c-44a6-82f2-d4670aee4585", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", - "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-09T18:26:06.0142481Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "5c242833-909c-4c6b-bca3-50feaaa98d23", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", - "correlationId": "206711cb-0722-49cc-a9ad-af7f34da9452", - "env_cloud_roleInstance": "AM5RRDSR530", - "env_cv": "##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99", - "resultType": "Success", - "auditEventCategory": "ApplicationManagement", - "actorUPN": "asr@testsiem.onmicrosoft.com", - "env_popSample": "0", - "env_seqNum": "46795893", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", - "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"ConsentContext.IsAdminConsent\",\"ConsentContext.IsAppOnly\",\"ConsentContext.OnBehalfOfAll\",\"ConsentContext.Tags\",\"ConsentAction.Permissions\",\"TargetId.ServicePrincipalNames\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "extendedAuditEventCategory": "ServicePrincipal", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "env_epoch": "0871Y", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" - }, - "Target": [ + "Actor": [ { - "Type": 2, - "ID": "ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23" + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 }, { - "Type": 2, - "ID": "5c242833-909c-4c6b-bca3-50feaaa98d23" + "ID": "1003200096971F55", + "Type": 3 }, { - "Type": 2, - "ID": "ServicePrincipal" + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "Type": 1, - "ID": "siem" + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 2, - "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585" + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 4, - "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585" + "ID": "User", + "Type": 2 } ], - "RecordType": "8", - "ModifiedProperties": { - "ConsentContext_OnBehalfOfAll": { - "OldValue": "", - "NewValue": "True" - }, - "ConsentAction_Permissions": { - "OldValue": "", - "NewValue": "[[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]] =\u003e [[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; " - }, - "TargetId_ServicePrincipalNames": { - "OldValue": "", - "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585" - }, - "ConsentContext_IsAppOnly": { - "OldValue": "", - "NewValue": "False" - }, - "ConsentContext_Tags": { - "OldValue": "", - "NewValue": "" - }, - "ConsentContext_IsAdminConsent": { - "OldValue": "", - "NewValue": "True" - } + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-09T18:26:06", + "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "actorObjectClass": "User", + "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "auditEventCategory": "ApplicationManagement", + "correlationId": "206711cb-0722-49cc-a9ad-af7f34da9452", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", + "env_cloud_roleInstance": "AM5RRDSR530", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", + "env_cv": "##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99", + "env_epoch": "0871Y", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", + "env_popSample": "0", + "env_seqNum": "46795893", + "env_time": "2020-02-09T18:26:06.0142481Z", + "env_ver": "2.1", + "extendedAuditEventCategory": "ServicePrincipal", + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"ConsentContext.IsAdminConsent\",\"ConsentContext.IsAppOnly\",\"ConsentContext.OnBehalfOfAll\",\"ConsentContext.Tags\",\"ConsentAction.Permissions\",\"TargetId.ServicePrincipalNames\"]", + "targetName": "siem", + "targetObjectId": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "targetSPN": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "teamName": "MSODS.", + "version": "2" + }, + "ModifiedProperties": { + "ConsentAction_Permissions": { + "NewValue": "[[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]] =\u003e [[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; ", + "OldValue": "" + }, + "ConsentContext_IsAdminConsent": { + "NewValue": "True", + "OldValue": "" + }, + "ConsentContext_IsAppOnly": { + "NewValue": "False", + "OldValue": "" + }, + "ConsentContext_OnBehalfOfAll": { + "NewValue": "True", + "OldValue": "" + }, + "ConsentContext_Tags": { + "NewValue": "", + "OldValue": "" + }, + "TargetId_ServicePrincipalNames": { + "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "OldValue": "" + } }, - "Version": "1", + "ObjectId": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ + "Target": [ { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" + "ID": "ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23", + "Type": 2 }, { - "Type": 3, - "ID": "1003200096971F55" + "ID": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "Type": 2 }, { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "ServicePrincipal", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "siem", + "Type": 1 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "Type": 4 } ], - "CreationTime": "2020-02-09T18:26:06", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-09T18:26:06.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:47:58.413606097Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T18:26:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ConsentContext.IsAdminConsent\\\",\\\"ConsentContext.IsAppOnly\\\",\\\"ConsentContext.OnBehalfOfAll\\\",\\\"ConsentContext.Tags\\\",\\\"ConsentAction.Permissions\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"206711cb-0722-49cc-a9ad-af7f34da9452\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:26:06.0142481Z\"},{\"Name\":\"env_epoch\",\"Value\":\"0871Y\"},{\"Name\":\"env_seqNum\",\"Value\":\"46795893\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR530\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"821dc03c-4e38-4cd1-82b2-3155b41b4418\",\"ModifiedProperties\":[{\"Name\":\"ConsentContext.IsAdminConsent\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.IsAppOnly\",\"NewValue\":\"False\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.OnBehalfOfAll\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.Tags\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ConsentAction.Permissions\",\"NewValue\":\"[[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]] =\\u003e [[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; \",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"}],\"ObjectId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Operation\":\"Consent to application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":2},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Consent to application.", - "id": "821dc03c-4e38-4cd1-82b2-3155b41b4418", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "71a0194b-b70c-44a6-82f2-d4670aee4585" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-09T18:26:06.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Consent to application.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "821dc03c-4e38-4cd1-82b2-3155b41b4418", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T18:26:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ConsentContext.IsAdminConsent\\\",\\\"ConsentContext.IsAppOnly\\\",\\\"ConsentContext.OnBehalfOfAll\\\",\\\"ConsentContext.Tags\\\",\\\"ConsentAction.Permissions\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"206711cb-0722-49cc-a9ad-af7f34da9452\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:26:06.0142481Z\"},{\"Name\":\"env_epoch\",\"Value\":\"0871Y\"},{\"Name\":\"env_seqNum\",\"Value\":\"46795893\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR530\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"821dc03c-4e38-4cd1-82b2-3155b41b4418\",\"ModifiedProperties\":[{\"Name\":\"ConsentContext.IsAdminConsent\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.IsAppOnly\",\"NewValue\":\"False\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.OnBehalfOfAll\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.Tags\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ConsentAction.Permissions\",\"NewValue\":\"[[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]] =\\u003e [[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; \",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"}],\"ObjectId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Operation\":\"Consent to application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":2},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "71a0194b-b70c-44a6-82f2-d4670aee4585", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "67.43.156.15", - "ExtendedProperties": { - "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "siem", - "env_appId": "restdirectoryservice", - "targetSPN": "71a0194b-b70c-44a6-82f2-d4670aee4585", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", - "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-09T18:26:06.0142481Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "5c242833-909c-4c6b-bca3-50feaaa98d23", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", - "correlationId": "206711cb-0722-49cc-a9ad-af7f34da9452", - "env_cloud_roleInstance": "AM5RRDSR530", - "env_cv": "##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99", - "resultType": "Success", - "auditEventCategory": "ApplicationManagement", - "actorUPN": "asr@testsiem.onmicrosoft.com", - "env_popSample": "0", - "env_seqNum": "46795893", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", - "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"ConsentContext.IsAdminConsent\",\"ConsentContext.IsAppOnly\",\"ConsentContext.OnBehalfOfAll\",\"ConsentContext.Tags\",\"ConsentAction.Permissions\",\"TargetId.ServicePrincipalNames\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "extendedAuditEventCategory": "ServicePrincipal", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "env_epoch": "0871Y", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" - }, - "Target": [ + "Actor": [ { - "Type": 2, - "ID": "ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23" + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 }, { - "Type": 2, - "ID": "5c242833-909c-4c6b-bca3-50feaaa98d23" + "ID": "1003200096971F55", + "Type": 3 }, { - "Type": 2, - "ID": "ServicePrincipal" + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "Type": 1, - "ID": "siem" + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 2, - "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585" + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 4, - "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585" + "ID": "User", + "Type": 2 } ], - "RecordType": "8", + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-09T18:26:06", + "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "actorObjectClass": "User", + "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "auditEventCategory": "ApplicationManagement", + "correlationId": "206711cb-0722-49cc-a9ad-af7f34da9452", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", + "env_cloud_roleInstance": "AM5RRDSR530", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", + "env_cv": "##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99", + "env_epoch": "0871Y", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", + "env_popSample": "0", + "env_seqNum": "46795893", + "env_time": "2020-02-09T18:26:06.0142481Z", + "env_ver": "2.1", + "extendedAuditEventCategory": "ServicePrincipal", + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"ConsentContext.IsAdminConsent\",\"ConsentContext.IsAppOnly\",\"ConsentContext.OnBehalfOfAll\",\"ConsentContext.Tags\",\"ConsentAction.Permissions\",\"TargetId.ServicePrincipalNames\"]", + "targetName": "siem", + "targetObjectId": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "targetSPN": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "teamName": "MSODS.", + "version": "2" + }, "ModifiedProperties": { - "ConsentContext_OnBehalfOfAll": { - "OldValue": "", - "NewValue": "True" - }, "ConsentAction_Permissions": { - "OldValue": "", - "NewValue": "[[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]] =\u003e [[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; " + "NewValue": "[[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]] =\u003e [[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; ", + "OldValue": "" }, - "TargetId_ServicePrincipalNames": { - "OldValue": "", - "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585" + "ConsentContext_IsAdminConsent": { + "NewValue": "True", + "OldValue": "" }, "ConsentContext_IsAppOnly": { - "OldValue": "", - "NewValue": "False" + "NewValue": "False", + "OldValue": "" + }, + "ConsentContext_OnBehalfOfAll": { + "NewValue": "True", + "OldValue": "" }, "ConsentContext_Tags": { - "OldValue": "", - "NewValue": "" + "NewValue": "", + "OldValue": "" }, - "ConsentContext_IsAdminConsent": { - "OldValue": "", - "NewValue": "True" + "TargetId_ServicePrincipalNames": { + "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "OldValue": "" } }, - "Version": "1", + "ObjectId": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ + "Target": [ { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" + "ID": "ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23", + "Type": 2 }, { - "Type": 3, - "ID": "1003200096971F55" + "ID": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "Type": 2 }, { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "ServicePrincipal", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "siem", + "Type": 1 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "Type": 4 } ], - "CreationTime": "2020-02-09T18:26:06", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-09T18:26:06.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", - "ip": "67.43.156.15" - }, - "event": { - "ingested": "2022-01-02T03:47:58.413607164Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T18:26:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ConsentContext.IsAdminConsent\\\",\\\"ConsentContext.IsAppOnly\\\",\\\"ConsentContext.OnBehalfOfAll\\\",\\\"ConsentContext.Tags\\\",\\\"ConsentAction.Permissions\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"206711cb-0722-49cc-a9ad-af7f34da9452\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-09T18:26:06.0142481Z\"},{\"Name\":\"env_epoch\",\"Value\":\"0871Y\"},{\"Name\":\"env_seqNum\",\"Value\":\"46795893\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7d51f55f-78c7-4cb8-8046-40aecfef1c99_00000000-0000-0000-0000-000000000000_7d51f55f-78c7-4cb8-8046-40aecfef1c99\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR530\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"821dc03c-4e38-4cd1-82b2-3155b41b4418\",\"ModifiedProperties\":[{\"Name\":\"ConsentContext.IsAdminConsent\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.IsAppOnly\",\"NewValue\":\"False\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.OnBehalfOfAll\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.Tags\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ConsentAction.Permissions\",\"NewValue\":\"[[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]] =\\u003e [[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; \",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"}],\"ObjectId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Operation\":\"Consent to application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":2},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Consent to application.", - "id": "821dc03c-4e38-4cd1-82b2-3155b41b4418", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" + "source": { + "ip": "67.43.156.15" }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "71a0194b-b70c-44a6-82f2-d4670aee4585" } } }, { + "@timestamp": "2020-02-10T15:15:04.000Z", + "client": {}, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "modified-user-account", + "category": [ + "web", + "iam" + ], + "code": "AzureActiveDirectory", + "id": "83c924c1-f2e2-4b39-8eda-b80c3823a875", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"fim_password_service@support.onmicrosoft.com\",\"Type\":5},{\"ID\":\"100300008060F582\",\"Type\":3},{\"ID\":\"User_00000000-0000-0000-0000-000000000000\",\"Type\":2},{\"ID\":\"00000000-0000-0000-0000-000000000000\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"d51ef8df-6617-4356-b8d4-89ad7efef31e\",\"ActorIpAddress\":\"\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"\",\"CreationTime\":\"2020-02-10T15:15:04\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"d51ef8df-6617-4356-b8d4-89ad7efef31e\"},{\"Name\":\"actorObjectId\",\"Value\":\"00000000-0000-0000-0000-000000000000\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"fim_password_service@support.onmicrosoft.com\"},{\"Name\":\"actorPUID\",\"Value\":\"100300008060F582\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"User\"},{\"Name\":\"targetUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"targetPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"StrongAuthenticationPhoneAppDetail\\\",\\\"TargetId.UserType\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"4aa56c6c-8fa5-4787-a165-03f181541438\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"UserType\\\":\\\"Member\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"UserManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:15:04.2043419Z\"},{\"Name\":\"env_epoch\",\"Value\":\"4QPHR\"},{\"Name\":\"env_seqNum\",\"Value\":\"87075075\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##00000000-0000-0000-0000-000000000000_00000000-0000-0000-0000-000000000000_00000000-0000-0000-0000-000000000000\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"becwebservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"becwebservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RBWSR554\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"83c924c1-f2e2-4b39-8eda-b80c3823a875\",\"ModifiedProperties\":[{\"Name\":\"StrongAuthenticationPhoneAppDetail\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"DeviceName\\\": \\\"NO_DEVICE\\\",\\r\\n \\\"DeviceToken\\\": \\\"NO_DEVICE_TOKEN\\\",\\r\\n \\\"DeviceTag\\\": \\\"SoftwareTokenActivated\\\",\\r\\n \\\"PhoneAppVersion\\\": \\\"NO_PHONE_APP_VERSION\\\",\\r\\n \\\"OathTokenTimeDrift\\\": -1,\\r\\n \\\"DeviceId\\\": null,\\r\\n \\\"Id\\\": \\\"3b539b10-3846-4f9b-877d-55b0b8e76147\\\",\\r\\n \\\"TimeInterval\\\": null,\\r\\n \\\"AuthenticationType\\\": 2,\\r\\n \\\"NotificationType\\\": 1,\\r\\n \\\"SecuredPartitionId\\\": 0,\\r\\n \\\"SecuredKeyId\\\": 0\\r\\n }\\r\\n]\",\"OldValue\":\"[\\r\\n {\\r\\n \\\"DeviceName\\\": \\\"NO_DEVICE\\\",\\r\\n \\\"DeviceToken\\\": \\\"NO_DEVICE_TOKEN\\\",\\r\\n \\\"DeviceTag\\\": \\\"SoftwareTokenActivated\\\",\\r\\n \\\"PhoneAppVersion\\\": \\\"NO_PHONE_APP_VERSION\\\",\\r\\n \\\"OathTokenTimeDrift\\\": 0,\\r\\n \\\"DeviceId\\\": null,\\r\\n \\\"Id\\\": \\\"3b539b10-3846-4f9b-877d-55b0b8e76147\\\",\\r\\n \\\"TimeInterval\\\": null,\\r\\n \\\"AuthenticationType\\\": 2,\\r\\n \\\"NotificationType\\\": 1,\\r\\n \\\"SecuredPartitionId\\\": 0,\\r\\n \\\"SecuredKeyId\\\": 0\\r\\n }\\r\\n]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"StrongAuthenticationPhoneAppDetail\",\"OldValue\":\"\"},{\"Name\":\"TargetId.UserType\",\"NewValue\":\"Member\",\"OldValue\":\"\"}],\"ObjectId\":\"asr@testsiem.onmicrosoft.com\",\"Operation\":\"Update user.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"fim_password_service@support.onmicrosoft.com\",\"UserKey\":\"100300008060F582@support.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info", + "user", + "change" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "asr@testsiem.onmicrosoft.com", - "ResultStatus": "Success", - "UserKey": "100300008060F582@support.onmicrosoft.com", + "Actor": [ + { + "ID": "fim_password_service@support.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "100300008060F582", + "Type": 3 + }, + { + "ID": "User_00000000-0000-0000-0000-000000000000", + "Type": 2 + }, + { + "ID": "00000000-0000-0000-0000-000000000000", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "ActorContextId": "d51ef8df-6617-4356-b8d4-89ad7efef31e", "ActorIpAddress": "", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-10T15:15:04", "ExtendedProperties": { + "actorContextId": "d51ef8df-6617-4356-b8d4-89ad7efef31e", "actorObjectClass": "User", - "teamName": "MSODS.", - "targetUPN": "asr@testsiem.onmicrosoft.com", - "env_cloud_deploymentUnit": "R5", - "env_appId": "becwebservice", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", "actorObjectId": "00000000-0000-0000-0000-000000000000", - "env_time": "2020-02-10T15:15:04.2043419Z", - "targetPUID": "1003200096971F55", - "env_cloud_role": "becwebservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", + "actorPUID": "100300008060F582", + "actorUPN": "fim_password_service@support.onmicrosoft.com", + "additionalDetails": "{\"UserType\":\"Member\"}", + "auditEventCategory": "UserManagement", "correlationId": "4aa56c6c-8fa5-4787-a165-03f181541438", + "env_appId": "becwebservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "becwebservice", "env_cloud_roleInstance": "AM5RBWSR554", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", "env_cv": "##00000000-0000-0000-0000-000000000000_00000000-0000-0000-0000-000000000000_00000000-0000-0000-0000-000000000000", - "resultType": "Success", - "actorUPN": "fim_password_service@support.onmicrosoft.com", - "auditEventCategory": "UserManagement", + "env_epoch": "4QPHR", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", "env_popSample": "0", "env_seqNum": "87075075", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", + "env_time": "2020-02-10T15:15:04.2043419Z", "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"StrongAuthenticationPhoneAppDetail\",\"TargetId.UserType\"]", - "additionalDetails": "{\"UserType\":\"Member\"}", - "version": "2", "extendedAuditEventCategory": "User", - "actorContextId": "d51ef8df-6617-4356-b8d4-89ad7efef31e", - "env_cloud_environment": "PROD", - "env_epoch": "4QPHR", - "env_flags": "257", - "actorPUID": "100300008060F582", - "nCloud": "\u003cnull\u003e" + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"StrongAuthenticationPhoneAppDetail\",\"TargetId.UserType\"]", + "targetObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "targetPUID": "1003200096971F55", + "targetUPN": "asr@testsiem.onmicrosoft.com", + "teamName": "MSODS.", + "version": "2" }, - "Target": [ - { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" - }, - { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" - }, - { - "Type": 2, - "ID": "User" - }, - { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" - }, - { - "Type": 3, - "ID": "1003200096971F55" - } - ], - "RecordType": "8", "ModifiedProperties": { "Included_Updated_Properties": { - "OldValue": "", - "NewValue": "StrongAuthenticationPhoneAppDetail" - }, - "TargetId_UserType": { - "OldValue": "", - "NewValue": "Member" + "NewValue": "StrongAuthenticationPhoneAppDetail", + "OldValue": "" }, "StrongAuthenticationPhoneAppDetail": { - "OldValue": "[\r\n {\r\n \"DeviceName\": \"NO_DEVICE\",\r\n \"DeviceToken\": \"NO_DEVICE_TOKEN\",\r\n \"DeviceTag\": \"SoftwareTokenActivated\",\r\n \"PhoneAppVersion\": \"NO_PHONE_APP_VERSION\",\r\n \"OathTokenTimeDrift\": 0,\r\n \"DeviceId\": null,\r\n \"Id\": \"3b539b10-3846-4f9b-877d-55b0b8e76147\",\r\n \"TimeInterval\": null,\r\n \"AuthenticationType\": 2,\r\n \"NotificationType\": 1,\r\n \"SecuredPartitionId\": 0,\r\n \"SecuredKeyId\": 0\r\n }\r\n]", - "NewValue": "[\r\n {\r\n \"DeviceName\": \"NO_DEVICE\",\r\n \"DeviceToken\": \"NO_DEVICE_TOKEN\",\r\n \"DeviceTag\": \"SoftwareTokenActivated\",\r\n \"PhoneAppVersion\": \"NO_PHONE_APP_VERSION\",\r\n \"OathTokenTimeDrift\": -1,\r\n \"DeviceId\": null,\r\n \"Id\": \"3b539b10-3846-4f9b-877d-55b0b8e76147\",\r\n \"TimeInterval\": null,\r\n \"AuthenticationType\": 2,\r\n \"NotificationType\": 1,\r\n \"SecuredPartitionId\": 0,\r\n \"SecuredKeyId\": 0\r\n }\r\n]" + "NewValue": "[\r\n {\r\n \"DeviceName\": \"NO_DEVICE\",\r\n \"DeviceToken\": \"NO_DEVICE_TOKEN\",\r\n \"DeviceTag\": \"SoftwareTokenActivated\",\r\n \"PhoneAppVersion\": \"NO_PHONE_APP_VERSION\",\r\n \"OathTokenTimeDrift\": -1,\r\n \"DeviceId\": null,\r\n \"Id\": \"3b539b10-3846-4f9b-877d-55b0b8e76147\",\r\n \"TimeInterval\": null,\r\n \"AuthenticationType\": 2,\r\n \"NotificationType\": 1,\r\n \"SecuredPartitionId\": 0,\r\n \"SecuredKeyId\": 0\r\n }\r\n]", + "OldValue": "[\r\n {\r\n \"DeviceName\": \"NO_DEVICE\",\r\n \"DeviceToken\": \"NO_DEVICE_TOKEN\",\r\n \"DeviceTag\": \"SoftwareTokenActivated\",\r\n \"PhoneAppVersion\": \"NO_PHONE_APP_VERSION\",\r\n \"OathTokenTimeDrift\": 0,\r\n \"DeviceId\": null,\r\n \"Id\": \"3b539b10-3846-4f9b-877d-55b0b8e76147\",\r\n \"TimeInterval\": null,\r\n \"AuthenticationType\": 2,\r\n \"NotificationType\": 1,\r\n \"SecuredPartitionId\": 0,\r\n \"SecuredKeyId\": 0\r\n }\r\n]" + }, + "TargetId_UserType": { + "NewValue": "Member", + "OldValue": "" } }, - "Version": "1", + "ObjectId": "asr@testsiem.onmicrosoft.com", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "fim_password_service@support.onmicrosoft.com", - "Actor": [ + "Target": [ { - "Type": 5, - "ID": "fim_password_service@support.onmicrosoft.com" + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 3, - "ID": "100300008060F582" + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 2, - "ID": "User_00000000-0000-0000-0000-000000000000" + "ID": "User", + "Type": 2 }, { - "Type": 2, - "ID": "00000000-0000-0000-0000-000000000000" + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 }, { - "Type": 2, - "ID": "User" + "ID": "1003200096971F55", + "Type": 3 } ], - "CreationTime": "2020-02-10T15:15:04", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "fim_password_service@support.onmicrosoft.com", + "UserKey": "100300008060F582@support.onmicrosoft.com", "UserType": "0", - "ActorContextId": "d51ef8df-6617-4356-b8d4-89ad7efef31e" + "Version": "1" } }, - "@timestamp": "2020-02-10T15:15:04.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "user": [ @@ -7079,12928 +6651,12068 @@ "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": {}, - "event": { - "ingested": "2022-01-02T03:47:58.413608352Z", - "original": "{\"Actor\":[{\"ID\":\"fim_password_service@support.onmicrosoft.com\",\"Type\":5},{\"ID\":\"100300008060F582\",\"Type\":3},{\"ID\":\"User_00000000-0000-0000-0000-000000000000\",\"Type\":2},{\"ID\":\"00000000-0000-0000-0000-000000000000\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"d51ef8df-6617-4356-b8d4-89ad7efef31e\",\"ActorIpAddress\":\"\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"\",\"CreationTime\":\"2020-02-10T15:15:04\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"d51ef8df-6617-4356-b8d4-89ad7efef31e\"},{\"Name\":\"actorObjectId\",\"Value\":\"00000000-0000-0000-0000-000000000000\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"fim_password_service@support.onmicrosoft.com\"},{\"Name\":\"actorPUID\",\"Value\":\"100300008060F582\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"User\"},{\"Name\":\"targetUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"targetPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"StrongAuthenticationPhoneAppDetail\\\",\\\"TargetId.UserType\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"4aa56c6c-8fa5-4787-a165-03f181541438\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"UserType\\\":\\\"Member\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"UserManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:15:04.2043419Z\"},{\"Name\":\"env_epoch\",\"Value\":\"4QPHR\"},{\"Name\":\"env_seqNum\",\"Value\":\"87075075\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##00000000-0000-0000-0000-000000000000_00000000-0000-0000-0000-000000000000_00000000-0000-0000-0000-000000000000\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"becwebservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"becwebservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RBWSR554\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"83c924c1-f2e2-4b39-8eda-b80c3823a875\",\"ModifiedProperties\":[{\"Name\":\"StrongAuthenticationPhoneAppDetail\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"DeviceName\\\": \\\"NO_DEVICE\\\",\\r\\n \\\"DeviceToken\\\": \\\"NO_DEVICE_TOKEN\\\",\\r\\n \\\"DeviceTag\\\": \\\"SoftwareTokenActivated\\\",\\r\\n \\\"PhoneAppVersion\\\": \\\"NO_PHONE_APP_VERSION\\\",\\r\\n \\\"OathTokenTimeDrift\\\": -1,\\r\\n \\\"DeviceId\\\": null,\\r\\n \\\"Id\\\": \\\"3b539b10-3846-4f9b-877d-55b0b8e76147\\\",\\r\\n \\\"TimeInterval\\\": null,\\r\\n \\\"AuthenticationType\\\": 2,\\r\\n \\\"NotificationType\\\": 1,\\r\\n \\\"SecuredPartitionId\\\": 0,\\r\\n \\\"SecuredKeyId\\\": 0\\r\\n }\\r\\n]\",\"OldValue\":\"[\\r\\n {\\r\\n \\\"DeviceName\\\": \\\"NO_DEVICE\\\",\\r\\n \\\"DeviceToken\\\": \\\"NO_DEVICE_TOKEN\\\",\\r\\n \\\"DeviceTag\\\": \\\"SoftwareTokenActivated\\\",\\r\\n \\\"PhoneAppVersion\\\": \\\"NO_PHONE_APP_VERSION\\\",\\r\\n \\\"OathTokenTimeDrift\\\": 0,\\r\\n \\\"DeviceId\\\": null,\\r\\n \\\"Id\\\": \\\"3b539b10-3846-4f9b-877d-55b0b8e76147\\\",\\r\\n \\\"TimeInterval\\\": null,\\r\\n \\\"AuthenticationType\\\": 2,\\r\\n \\\"NotificationType\\\": 1,\\r\\n \\\"SecuredPartitionId\\\": 0,\\r\\n \\\"SecuredKeyId\\\": 0\\r\\n }\\r\\n]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"StrongAuthenticationPhoneAppDetail\",\"OldValue\":\"\"},{\"Name\":\"TargetId.UserType\",\"NewValue\":\"Member\",\"OldValue\":\"\"}],\"ObjectId\":\"asr@testsiem.onmicrosoft.com\",\"Operation\":\"Update user.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"fim_password_service@support.onmicrosoft.com\",\"UserKey\":\"100300008060F582@support.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "modified-user-account", - "id": "83c924c1-f2e2-4b39-8eda-b80c3823a875", - "type": [ - "info", - "user", - "change" - ], - "category": [ - "web", - "iam" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "fim_password_service", - "id": "fim_password_service@support.onmicrosoft.com", - "email": "fim_password_service@support.onmicrosoft.com", "domain": "support.onmicrosoft.com", + "email": "fim_password_service@support.onmicrosoft.com", + "id": "fim_password_service@support.onmicrosoft.com", + "name": "fim_password_service", "target": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", + "domain": "testsiem.onmicrosoft.com", "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr" } - }, - "tags": [ - "preserve_original_event" - ] + } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-10T15:16:18.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Remove OAuth2PermissionGrant.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "ec6ba716-ec04-460a-8d9e-661d732c4689", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:16:18\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"},{\"Name\":\"targetName\",\"Value\":\"Microsoft Graph\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"2e358876-29c8-45b5-8dba-e233cf769988\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:16:18.9844570Z\"},{\"Name\":\"env_epoch\",\"Value\":\"Z4XUI\"},{\"Name\":\"env_seqNum\",\"Value\":\"43649666\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##b2c3071c-9589-469b-9fb1-9311682625c0_00000000-0000-0000-0000-000000000000_b2c3071c-9589-469b-9fb1-9311682625c0\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR581\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"ec6ba716-ec04-460a-8d9e-661d732c4689\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"OldValue\":\"\"}],\"ObjectId\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Operation\":\"Remove OAuth2PermissionGrant.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Microsoft Graph\",\"Type\":1},{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":2},{\"ID\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-10T15:16:18", "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "Microsoft Graph", - "env_appId": "restdirectoryservice", - "targetSPN": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-10T15:16:18.9844570Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "98528ef9-e89b-469a-b19b-fa8e72a00fa6", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", - "correlationId": "2e358876-29c8-45b5-8dba-e233cf769988", - "env_cloud_roleInstance": "AM5RRDSR581", - "env_cv": "##b2c3071c-9589-469b-9fb1-9311682625c0_00000000-0000-0000-0000-000000000000_b2c3071c-9589-469b-9fb1-9311682625c0", - "resultType": "Success", - "auditEventCategory": "ApplicationManagement", + "actorPUID": "1003200096971F55", "actorUPN": "asr@testsiem.onmicrosoft.com", - "env_popSample": "0", - "env_seqNum": "43649666", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", - "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "extendedAuditEventCategory": "ServicePrincipal", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":null,\"ObjectClass\":\"ServicePrincipal\",\"AppId\":null,\"Name\":null}]", + "auditEventCategory": "ApplicationManagement", + "correlationId": "2e358876-29c8-45b5-8dba-e233cf769988", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", + "env_cloud_roleInstance": "AM5RRDSR581", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", + "env_cv": "##b2c3071c-9589-469b-9fb1-9311682625c0_00000000-0000-0000-0000-000000000000_b2c3071c-9589-469b-9fb1-9311682625c0", "env_epoch": "Z4XUI", "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", + "env_popSample": "0", + "env_seqNum": "43649666", + "env_time": "2020-02-10T15:16:18.9844570Z", + "env_ver": "2.1", + "extendedAuditEventCategory": "ServicePrincipal", + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "targetName": "Microsoft Graph", + "targetObjectId": "98528ef9-e89b-469a-b19b-fa8e72a00fa6", + "targetSPN": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", + "teamName": "MSODS.", + "version": "2" }, - "Target": [ - { - "Type": 2, - "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6" - }, - { - "Type": 2, - "ID": "98528ef9-e89b-469a-b19b-fa8e72a00fa6" - }, - { - "Type": 2, - "ID": "ServicePrincipal" - }, - { - "Type": 1, - "ID": "Microsoft Graph" - }, - { - "Type": 2, - "ID": "00000003-0000-0000-c000-000000000000" - }, - { - "Type": 4, - "ID": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us" - } - ], - "RecordType": "8", "ModifiedProperties": { - "ServicePrincipal_Name": { - "OldValue": "", - "NewValue": "" - }, - "TargetId_ServicePrincipalNames": { - "OldValue": "", - "NewValue": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us" + "ServicePrincipal_AppId": { + "NewValue": "", + "OldValue": "" }, "ServicePrincipal_DisplayName": { - "OldValue": "", - "NewValue": "" + "NewValue": "", + "OldValue": "" }, - "ServicePrincipal_AppId": { - "OldValue": "", - "NewValue": "" + "ServicePrincipal_Name": { + "NewValue": "", + "OldValue": "" }, "ServicePrincipal_ObjectID": { - "OldValue": "", - "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23" + "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "OldValue": "" + }, + "TargetId_ServicePrincipalNames": { + "NewValue": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", + "OldValue": "" } }, - "Version": "1", + "ObjectId": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ + "Target": [ { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" + "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6", + "Type": 2 }, { - "Type": 3, - "ID": "1003200096971F55" + "ID": "98528ef9-e89b-469a-b19b-fa8e72a00fa6", + "Type": 2 }, { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "ServicePrincipal", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "Microsoft Graph", + "Type": 1 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "00000003-0000-0000-c000-000000000000", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", + "Type": 4 } ], - "CreationTime": "2020-02-10T15:16:18", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-10T15:16:18.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:47:58.413609380Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:16:18\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"},{\"Name\":\"targetName\",\"Value\":\"Microsoft Graph\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"2e358876-29c8-45b5-8dba-e233cf769988\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:16:18.9844570Z\"},{\"Name\":\"env_epoch\",\"Value\":\"Z4XUI\"},{\"Name\":\"env_seqNum\",\"Value\":\"43649666\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##b2c3071c-9589-469b-9fb1-9311682625c0_00000000-0000-0000-0000-000000000000_b2c3071c-9589-469b-9fb1-9311682625c0\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR581\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"ec6ba716-ec04-460a-8d9e-661d732c4689\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"OldValue\":\"\"}],\"ObjectId\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Operation\":\"Remove OAuth2PermissionGrant.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Microsoft Graph\",\"Type\":1},{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":2},{\"ID\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Remove OAuth2PermissionGrant.", - "id": "ec6ba716-ec04-460a-8d9e-661d732c4689", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-10T15:16:18.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Remove OAuth2PermissionGrant.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "ec6ba716-ec04-460a-8d9e-661d732c4689", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:16:18\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"},{\"Name\":\"targetName\",\"Value\":\"Microsoft Graph\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"2e358876-29c8-45b5-8dba-e233cf769988\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:16:18.9844570Z\"},{\"Name\":\"env_epoch\",\"Value\":\"Z4XUI\"},{\"Name\":\"env_seqNum\",\"Value\":\"43649666\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##b2c3071c-9589-469b-9fb1-9311682625c0_00000000-0000-0000-0000-000000000000_b2c3071c-9589-469b-9fb1-9311682625c0\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR581\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"ec6ba716-ec04-460a-8d9e-661d732c4689\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"OldValue\":\"\"}],\"ObjectId\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Operation\":\"Remove OAuth2PermissionGrant.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Microsoft Graph\",\"Type\":1},{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":2},{\"ID\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "67.43.156.15", - "ExtendedProperties": { - "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "Microsoft Graph", - "env_appId": "restdirectoryservice", - "targetSPN": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", - "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-10T15:16:18.9844570Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "98528ef9-e89b-469a-b19b-fa8e72a00fa6", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", - "correlationId": "2e358876-29c8-45b5-8dba-e233cf769988", - "env_cloud_roleInstance": "AM5RRDSR581", - "env_cv": "##b2c3071c-9589-469b-9fb1-9311682625c0_00000000-0000-0000-0000-000000000000_b2c3071c-9589-469b-9fb1-9311682625c0", - "resultType": "Success", - "auditEventCategory": "ApplicationManagement", - "actorUPN": "asr@testsiem.onmicrosoft.com", - "env_popSample": "0", - "env_seqNum": "43649666", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", - "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "extendedAuditEventCategory": "ServicePrincipal", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":null,\"ObjectClass\":\"ServicePrincipal\",\"AppId\":null,\"Name\":null}]", - "env_epoch": "Z4XUI", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" - }, - "Target": [ + "Actor": [ { - "Type": 2, - "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6" + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 }, { - "Type": 2, - "ID": "98528ef9-e89b-469a-b19b-fa8e72a00fa6" + "ID": "1003200096971F55", + "Type": 3 }, { - "Type": 2, - "ID": "ServicePrincipal" + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "Type": 1, - "ID": "Microsoft Graph" + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 2, - "ID": "00000003-0000-0000-c000-000000000000" + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 4, - "ID": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us" + "ID": "User", + "Type": 2 } ], - "RecordType": "8", + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-10T15:16:18", + "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "actorObjectClass": "User", + "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":null,\"ObjectClass\":\"ServicePrincipal\",\"AppId\":null,\"Name\":null}]", + "auditEventCategory": "ApplicationManagement", + "correlationId": "2e358876-29c8-45b5-8dba-e233cf769988", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", + "env_cloud_roleInstance": "AM5RRDSR581", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", + "env_cv": "##b2c3071c-9589-469b-9fb1-9311682625c0_00000000-0000-0000-0000-000000000000_b2c3071c-9589-469b-9fb1-9311682625c0", + "env_epoch": "Z4XUI", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", + "env_popSample": "0", + "env_seqNum": "43649666", + "env_time": "2020-02-10T15:16:18.9844570Z", + "env_ver": "2.1", + "extendedAuditEventCategory": "ServicePrincipal", + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "targetName": "Microsoft Graph", + "targetObjectId": "98528ef9-e89b-469a-b19b-fa8e72a00fa6", + "targetSPN": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", + "teamName": "MSODS.", + "version": "2" + }, "ModifiedProperties": { - "ServicePrincipal_Name": { - "OldValue": "", - "NewValue": "" - }, - "TargetId_ServicePrincipalNames": { - "OldValue": "", - "NewValue": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us" + "ServicePrincipal_AppId": { + "NewValue": "", + "OldValue": "" }, "ServicePrincipal_DisplayName": { - "OldValue": "", - "NewValue": "" + "NewValue": "", + "OldValue": "" }, - "ServicePrincipal_AppId": { - "OldValue": "", - "NewValue": "" + "ServicePrincipal_Name": { + "NewValue": "", + "OldValue": "" }, "ServicePrincipal_ObjectID": { - "OldValue": "", - "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23" + "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "OldValue": "" + }, + "TargetId_ServicePrincipalNames": { + "NewValue": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", + "OldValue": "" } }, - "Version": "1", + "ObjectId": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ + "Target": [ { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" + "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6", + "Type": 2 }, { - "Type": 3, - "ID": "1003200096971F55" + "ID": "98528ef9-e89b-469a-b19b-fa8e72a00fa6", + "Type": 2 }, { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "ServicePrincipal", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "Microsoft Graph", + "Type": 1 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "00000003-0000-0000-c000-000000000000", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", + "Type": 4 } ], - "CreationTime": "2020-02-10T15:16:18", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-10T15:16:18.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:47:58.413610378Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:16:18\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"},{\"Name\":\"targetName\",\"Value\":\"Microsoft Graph\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"2e358876-29c8-45b5-8dba-e233cf769988\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:16:18.9844570Z\"},{\"Name\":\"env_epoch\",\"Value\":\"Z4XUI\"},{\"Name\":\"env_seqNum\",\"Value\":\"43649666\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##b2c3071c-9589-469b-9fb1-9311682625c0_00000000-0000-0000-0000-000000000000_b2c3071c-9589-469b-9fb1-9311682625c0\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR581\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"ec6ba716-ec04-460a-8d9e-661d732c4689\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"OldValue\":\"\"}],\"ObjectId\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Operation\":\"Remove OAuth2PermissionGrant.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Microsoft Graph\",\"Type\":1},{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":2},{\"ID\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Remove OAuth2PermissionGrant.", - "id": "ec6ba716-ec04-460a-8d9e-661d732c4689", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-10T15:16:18.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Remove OAuth2PermissionGrant.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "ec6ba716-ec04-460a-8d9e-661d732c4689", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:16:18\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"},{\"Name\":\"targetName\",\"Value\":\"Microsoft Graph\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"2e358876-29c8-45b5-8dba-e233cf769988\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:16:18.9844570Z\"},{\"Name\":\"env_epoch\",\"Value\":\"Z4XUI\"},{\"Name\":\"env_seqNum\",\"Value\":\"43649666\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##b2c3071c-9589-469b-9fb1-9311682625c0_00000000-0000-0000-0000-000000000000_b2c3071c-9589-469b-9fb1-9311682625c0\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR581\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"ec6ba716-ec04-460a-8d9e-661d732c4689\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"OldValue\":\"\"}],\"ObjectId\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Operation\":\"Remove OAuth2PermissionGrant.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Microsoft Graph\",\"Type\":1},{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":2},{\"ID\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "67.43.156.15", - "ExtendedProperties": { - "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "Microsoft Graph", - "env_appId": "restdirectoryservice", - "targetSPN": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", - "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-10T15:16:18.9844570Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "98528ef9-e89b-469a-b19b-fa8e72a00fa6", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", - "correlationId": "2e358876-29c8-45b5-8dba-e233cf769988", - "env_cloud_roleInstance": "AM5RRDSR581", - "env_cv": "##b2c3071c-9589-469b-9fb1-9311682625c0_00000000-0000-0000-0000-000000000000_b2c3071c-9589-469b-9fb1-9311682625c0", - "resultType": "Success", - "auditEventCategory": "ApplicationManagement", - "actorUPN": "asr@testsiem.onmicrosoft.com", - "env_popSample": "0", - "env_seqNum": "43649666", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", - "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "extendedAuditEventCategory": "ServicePrincipal", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":null,\"ObjectClass\":\"ServicePrincipal\",\"AppId\":null,\"Name\":null}]", - "env_epoch": "Z4XUI", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" - }, - "Target": [ + "Actor": [ { - "Type": 2, - "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6" + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 }, { - "Type": 2, - "ID": "98528ef9-e89b-469a-b19b-fa8e72a00fa6" + "ID": "1003200096971F55", + "Type": 3 }, { - "Type": 2, - "ID": "ServicePrincipal" + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "Type": 1, - "ID": "Microsoft Graph" + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 2, - "ID": "00000003-0000-0000-c000-000000000000" + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 4, - "ID": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us" + "ID": "User", + "Type": 2 } ], - "RecordType": "8", + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-10T15:16:18", + "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "actorObjectClass": "User", + "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":null,\"ObjectClass\":\"ServicePrincipal\",\"AppId\":null,\"Name\":null}]", + "auditEventCategory": "ApplicationManagement", + "correlationId": "2e358876-29c8-45b5-8dba-e233cf769988", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", + "env_cloud_roleInstance": "AM5RRDSR581", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", + "env_cv": "##b2c3071c-9589-469b-9fb1-9311682625c0_00000000-0000-0000-0000-000000000000_b2c3071c-9589-469b-9fb1-9311682625c0", + "env_epoch": "Z4XUI", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", + "env_popSample": "0", + "env_seqNum": "43649666", + "env_time": "2020-02-10T15:16:18.9844570Z", + "env_ver": "2.1", + "extendedAuditEventCategory": "ServicePrincipal", + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "targetName": "Microsoft Graph", + "targetObjectId": "98528ef9-e89b-469a-b19b-fa8e72a00fa6", + "targetSPN": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", + "teamName": "MSODS.", + "version": "2" + }, "ModifiedProperties": { - "ServicePrincipal_Name": { - "OldValue": "", - "NewValue": "" - }, - "TargetId_ServicePrincipalNames": { - "OldValue": "", - "NewValue": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us" + "ServicePrincipal_AppId": { + "NewValue": "", + "OldValue": "" }, "ServicePrincipal_DisplayName": { - "OldValue": "", - "NewValue": "" + "NewValue": "", + "OldValue": "" }, - "ServicePrincipal_AppId": { - "OldValue": "", - "NewValue": "" + "ServicePrincipal_Name": { + "NewValue": "", + "OldValue": "" }, "ServicePrincipal_ObjectID": { - "OldValue": "", - "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23" + "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "OldValue": "" + }, + "TargetId_ServicePrincipalNames": { + "NewValue": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", + "OldValue": "" } }, - "Version": "1", + "ObjectId": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ + "Target": [ { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" + "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6", + "Type": 2 }, { - "Type": 3, - "ID": "1003200096971F55" + "ID": "98528ef9-e89b-469a-b19b-fa8e72a00fa6", + "Type": 2 }, { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "ServicePrincipal", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "Microsoft Graph", + "Type": 1 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "00000003-0000-0000-c000-000000000000", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", + "Type": 4 } ], - "CreationTime": "2020-02-10T15:16:18", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-10T15:16:18.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:47:58.413611350Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:16:18\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"},{\"Name\":\"targetName\",\"Value\":\"Microsoft Graph\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"2e358876-29c8-45b5-8dba-e233cf769988\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:16:18.9844570Z\"},{\"Name\":\"env_epoch\",\"Value\":\"Z4XUI\"},{\"Name\":\"env_seqNum\",\"Value\":\"43649666\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##b2c3071c-9589-469b-9fb1-9311682625c0_00000000-0000-0000-0000-000000000000_b2c3071c-9589-469b-9fb1-9311682625c0\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR581\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"ec6ba716-ec04-460a-8d9e-661d732c4689\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"OldValue\":\"\"}],\"ObjectId\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Operation\":\"Remove OAuth2PermissionGrant.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Microsoft Graph\",\"Type\":1},{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":2},{\"ID\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Remove OAuth2PermissionGrant.", - "id": "ec6ba716-ec04-460a-8d9e-661d732c4689", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-10T15:17:00.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Remove app role assignment from service principal.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "31d7436e-85aa-4aee-a945-6a0ff51ea975", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:17:00\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"b2484c3c-5461-43ab-850b-70fccf706796\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:17:00.2133065Z\"},{\"Name\":\"env_epoch\",\"Value\":\"OLE3R\"},{\"Name\":\"env_seqNum\",\"Value\":\"55908032\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##53a69eec-6bcd-473f-9c68-150d680e0776_00000000-0000-0000-0000-000000000000_53a69eec-6bcd-473f-9c68-150d680e0776\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR551\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"31d7436e-85aa-4aee-a945-6a0ff51ea975\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Remove app role assignment from service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "67.43.156.15", - "ExtendedProperties": { - "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "Office 365 Management APIs", - "env_appId": "restdirectoryservice", - "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", - "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-10T15:17:00.2133065Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", - "correlationId": "b2484c3c-5461-43ab-850b-70fccf706796", - "env_cloud_roleInstance": "AM5RRDSR551", - "env_cv": "##53a69eec-6bcd-473f-9c68-150d680e0776_00000000-0000-0000-0000-000000000000_53a69eec-6bcd-473f-9c68-150d680e0776", - "resultType": "Success", - "auditEventCategory": "ApplicationManagement", - "actorUPN": "asr@testsiem.onmicrosoft.com", - "env_popSample": "0", - "env_seqNum": "55908032", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", - "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "extendedAuditEventCategory": "ServicePrincipal", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", - "env_epoch": "OLE3R", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" - }, - "Target": [ + "Actor": [ { - "Type": 2, - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad" + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 }, { - "Type": 2, - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad" + "ID": "1003200096971F55", + "Type": 3 }, { - "Type": 2, - "ID": "ServicePrincipal" + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "Type": 1, - "ID": "Office 365 Management APIs" + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 2, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2" + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 4, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" + "ID": "User", + "Type": 2 } ], - "RecordType": "8", + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-10T15:17:00", + "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "actorObjectClass": "User", + "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", + "auditEventCategory": "ApplicationManagement", + "correlationId": "b2484c3c-5461-43ab-850b-70fccf706796", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", + "env_cloud_roleInstance": "AM5RRDSR551", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", + "env_cv": "##53a69eec-6bcd-473f-9c68-150d680e0776_00000000-0000-0000-0000-000000000000_53a69eec-6bcd-473f-9c68-150d680e0776", + "env_epoch": "OLE3R", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", + "env_popSample": "0", + "env_seqNum": "55908032", + "env_time": "2020-02-10T15:17:00.2133065Z", + "env_ver": "2.1", + "extendedAuditEventCategory": "ServicePrincipal", + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "targetName": "Office 365 Management APIs", + "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "teamName": "MSODS.", + "version": "2" + }, "ModifiedProperties": { - "ServicePrincipal_Name": { - "OldValue": "", - "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585" - }, - "TargetId_ServicePrincipalNames": { - "OldValue": "", - "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" + "ServicePrincipal_AppId": { + "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "OldValue": "" }, "ServicePrincipal_DisplayName": { - "OldValue": "", - "NewValue": "siem" + "NewValue": "siem", + "OldValue": "" }, - "ServicePrincipal_AppId": { - "OldValue": "", - "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585" + "ServicePrincipal_Name": { + "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "OldValue": "" }, "ServicePrincipal_ObjectID": { - "OldValue": "", - "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23" + "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "OldValue": "" + }, + "TargetId_ServicePrincipalNames": { + "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "OldValue": "" } }, - "Version": "1", + "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ + "Target": [ { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 3, - "ID": "1003200096971F55" + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "ServicePrincipal", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 } ], - "CreationTime": "2020-02-10T15:17:00", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-10T15:17:00.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:47:58.413612404Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:17:00\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"b2484c3c-5461-43ab-850b-70fccf706796\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:17:00.2133065Z\"},{\"Name\":\"env_epoch\",\"Value\":\"OLE3R\"},{\"Name\":\"env_seqNum\",\"Value\":\"55908032\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##53a69eec-6bcd-473f-9c68-150d680e0776_00000000-0000-0000-0000-000000000000_53a69eec-6bcd-473f-9c68-150d680e0776\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR551\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"31d7436e-85aa-4aee-a945-6a0ff51ea975\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Remove app role assignment from service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Remove app role assignment from service principal.", - "id": "31d7436e-85aa-4aee-a945-6a0ff51ea975", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-10T15:17:00.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "7bca6665-4d58-4df9-bd34-4d92e1fc63aa", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:17:00\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"b2484c3c-5461-43ab-850b-70fccf706796\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:17:00.2133065Z\"},{\"Name\":\"env_epoch\",\"Value\":\"OLE3R\"},{\"Name\":\"env_seqNum\",\"Value\":\"55908041\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##53a69eec-6bcd-473f-9c68-150d680e0776_00000000-0000-0000-0000-000000000000_53a69eec-6bcd-473f-9c68-150d680e0776\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR551\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"7bca6665-4d58-4df9-bd34-4d92e1fc63aa\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-10T15:17:00", "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "Office 365 Management APIs", - "env_appId": "restdirectoryservice", - "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-10T15:17:00.2133065Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", + "auditEventCategory": "ApplicationManagement", "correlationId": "b2484c3c-5461-43ab-850b-70fccf706796", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", "env_cloud_roleInstance": "AM5RRDSR551", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", "env_cv": "##53a69eec-6bcd-473f-9c68-150d680e0776_00000000-0000-0000-0000-000000000000_53a69eec-6bcd-473f-9c68-150d680e0776", - "resultType": "Success", - "auditEventCategory": "ApplicationManagement", - "actorUPN": "asr@testsiem.onmicrosoft.com", + "env_epoch": "OLE3R", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", "env_popSample": "0", "env_seqNum": "55908041", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", + "env_time": "2020-02-10T15:17:00.2133065Z", "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", "extendedAuditEventCategory": "ServicePrincipal", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", - "env_epoch": "OLE3R", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "targetName": "Office 365 Management APIs", + "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "teamName": "MSODS.", + "version": "2" }, - "Target": [ - { - "Type": 2, - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad" - }, - { - "Type": 2, - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad" + "ModifiedProperties": { + "ServicePrincipal_AppId": { + "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "OldValue": "" }, - { - "Type": 2, - "ID": "ServicePrincipal" + "ServicePrincipal_DisplayName": { + "NewValue": "siem", + "OldValue": "" }, - { - "Type": 1, - "ID": "Office 365 Management APIs" + "ServicePrincipal_Name": { + "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "OldValue": "" }, - { - "Type": 2, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2" - }, - { - "Type": 4, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" - } - ], - "RecordType": "8", - "ModifiedProperties": { - "ServicePrincipal_Name": { - "OldValue": "", - "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585" + "ServicePrincipal_ObjectID": { + "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "OldValue": "" }, "TargetId_ServicePrincipalNames": { - "OldValue": "", - "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" - }, - "ServicePrincipal_DisplayName": { - "OldValue": "", - "NewValue": "siem" - }, - "ServicePrincipal_AppId": { - "OldValue": "", - "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585" - }, - "ServicePrincipal_ObjectID": { - "OldValue": "", - "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23" + "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "OldValue": "" } }, - "Version": "1", + "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ + "Target": [ { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 3, - "ID": "1003200096971F55" + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "ServicePrincipal", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 } ], - "CreationTime": "2020-02-10T15:17:00", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-10T15:17:00.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:47:58.413613459Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:17:00\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"b2484c3c-5461-43ab-850b-70fccf706796\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:17:00.2133065Z\"},{\"Name\":\"env_epoch\",\"Value\":\"OLE3R\"},{\"Name\":\"env_seqNum\",\"Value\":\"55908041\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##53a69eec-6bcd-473f-9c68-150d680e0776_00000000-0000-0000-0000-000000000000_53a69eec-6bcd-473f-9c68-150d680e0776\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR551\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"7bca6665-4d58-4df9-bd34-4d92e1fc63aa\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", - "id": "7bca6665-4d58-4df9-bd34-4d92e1fc63aa", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-10T15:17:00.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Remove app role assignment from service principal.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "31d7436e-85aa-4aee-a945-6a0ff51ea975", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:17:00\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"b2484c3c-5461-43ab-850b-70fccf706796\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:17:00.2133065Z\"},{\"Name\":\"env_epoch\",\"Value\":\"OLE3R\"},{\"Name\":\"env_seqNum\",\"Value\":\"55908032\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##53a69eec-6bcd-473f-9c68-150d680e0776_00000000-0000-0000-0000-000000000000_53a69eec-6bcd-473f-9c68-150d680e0776\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR551\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"31d7436e-85aa-4aee-a945-6a0ff51ea975\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Remove app role assignment from service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "67.43.156.15", - "ExtendedProperties": { - "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "Office 365 Management APIs", - "env_appId": "restdirectoryservice", - "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", - "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-10T15:17:00.2133065Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", - "correlationId": "b2484c3c-5461-43ab-850b-70fccf706796", - "env_cloud_roleInstance": "AM5RRDSR551", - "env_cv": "##53a69eec-6bcd-473f-9c68-150d680e0776_00000000-0000-0000-0000-000000000000_53a69eec-6bcd-473f-9c68-150d680e0776", - "resultType": "Success", - "auditEventCategory": "ApplicationManagement", - "actorUPN": "asr@testsiem.onmicrosoft.com", - "env_popSample": "0", - "env_seqNum": "55908032", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", - "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "extendedAuditEventCategory": "ServicePrincipal", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", - "env_epoch": "OLE3R", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" - }, - "Target": [ + "Actor": [ { - "Type": 2, - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad" + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 }, { - "Type": 2, - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad" + "ID": "1003200096971F55", + "Type": 3 }, { - "Type": 2, - "ID": "ServicePrincipal" + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "Type": 1, - "ID": "Office 365 Management APIs" + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 2, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2" + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 4, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" + "ID": "User", + "Type": 2 } ], - "RecordType": "8", + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-10T15:17:00", + "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "actorObjectClass": "User", + "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", + "auditEventCategory": "ApplicationManagement", + "correlationId": "b2484c3c-5461-43ab-850b-70fccf706796", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", + "env_cloud_roleInstance": "AM5RRDSR551", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", + "env_cv": "##53a69eec-6bcd-473f-9c68-150d680e0776_00000000-0000-0000-0000-000000000000_53a69eec-6bcd-473f-9c68-150d680e0776", + "env_epoch": "OLE3R", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", + "env_popSample": "0", + "env_seqNum": "55908032", + "env_time": "2020-02-10T15:17:00.2133065Z", + "env_ver": "2.1", + "extendedAuditEventCategory": "ServicePrincipal", + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "targetName": "Office 365 Management APIs", + "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "teamName": "MSODS.", + "version": "2" + }, "ModifiedProperties": { - "ServicePrincipal_Name": { - "OldValue": "", - "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585" - }, - "TargetId_ServicePrincipalNames": { - "OldValue": "", - "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" + "ServicePrincipal_AppId": { + "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "OldValue": "" }, "ServicePrincipal_DisplayName": { - "OldValue": "", - "NewValue": "siem" + "NewValue": "siem", + "OldValue": "" }, - "ServicePrincipal_AppId": { - "OldValue": "", - "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585" + "ServicePrincipal_Name": { + "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "OldValue": "" }, "ServicePrincipal_ObjectID": { - "OldValue": "", - "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23" + "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "OldValue": "" + }, + "TargetId_ServicePrincipalNames": { + "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "OldValue": "" } }, - "Version": "1", + "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ + "Target": [ { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 3, - "ID": "1003200096971F55" + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "ServicePrincipal", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 } ], - "CreationTime": "2020-02-10T15:17:00", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-10T15:17:00.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:47:58.413614466Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:17:00\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"b2484c3c-5461-43ab-850b-70fccf706796\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:17:00.2133065Z\"},{\"Name\":\"env_epoch\",\"Value\":\"OLE3R\"},{\"Name\":\"env_seqNum\",\"Value\":\"55908032\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##53a69eec-6bcd-473f-9c68-150d680e0776_00000000-0000-0000-0000-000000000000_53a69eec-6bcd-473f-9c68-150d680e0776\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR551\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"31d7436e-85aa-4aee-a945-6a0ff51ea975\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Remove app role assignment from service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Remove app role assignment from service principal.", - "id": "31d7436e-85aa-4aee-a945-6a0ff51ea975", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-10T15:17:00.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], - "network": { - "type": "ipv4" + "ecs": { + "version": "8.0.0" }, - "o365": { - "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "67.43.156.15", - "ExtendedProperties": { - "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "Office 365 Management APIs", - "env_appId": "restdirectoryservice", - "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", - "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-10T15:17:00.2133065Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", - "correlationId": "b2484c3c-5461-43ab-850b-70fccf706796", - "env_cloud_roleInstance": "AM5RRDSR551", - "env_cv": "##53a69eec-6bcd-473f-9c68-150d680e0776_00000000-0000-0000-0000-000000000000_53a69eec-6bcd-473f-9c68-150d680e0776", - "resultType": "Success", - "auditEventCategory": "ApplicationManagement", - "actorUPN": "asr@testsiem.onmicrosoft.com", - "env_popSample": "0", - "env_seqNum": "55908041", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", - "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "extendedAuditEventCategory": "ServicePrincipal", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", - "env_epoch": "OLE3R", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" - }, - "Target": [ + "event": { + "action": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "7bca6665-4d58-4df9-bd34-4d92e1fc63aa", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:17:00\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"b2484c3c-5461-43ab-850b-70fccf706796\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:17:00.2133065Z\"},{\"Name\":\"env_epoch\",\"Value\":\"OLE3R\"},{\"Name\":\"env_seqNum\",\"Value\":\"55908041\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##53a69eec-6bcd-473f-9c68-150d680e0776_00000000-0000-0000-0000-000000000000_53a69eec-6bcd-473f-9c68-150d680e0776\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR551\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"7bca6665-4d58-4df9-bd34-4d92e1fc63aa\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, + "network": { + "type": "ipv4" + }, + "o365": { + "audit": { + "Actor": [ { - "Type": 2, - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad" + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 }, { - "Type": 2, - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad" + "ID": "1003200096971F55", + "Type": 3 }, { - "Type": 2, - "ID": "ServicePrincipal" + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "Type": 1, - "ID": "Office 365 Management APIs" + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 2, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2" + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 4, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" + "ID": "User", + "Type": 2 } ], - "RecordType": "8", + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-10T15:17:00", + "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "actorObjectClass": "User", + "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", + "auditEventCategory": "ApplicationManagement", + "correlationId": "b2484c3c-5461-43ab-850b-70fccf706796", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", + "env_cloud_roleInstance": "AM5RRDSR551", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", + "env_cv": "##53a69eec-6bcd-473f-9c68-150d680e0776_00000000-0000-0000-0000-000000000000_53a69eec-6bcd-473f-9c68-150d680e0776", + "env_epoch": "OLE3R", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", + "env_popSample": "0", + "env_seqNum": "55908041", + "env_time": "2020-02-10T15:17:00.2133065Z", + "env_ver": "2.1", + "extendedAuditEventCategory": "ServicePrincipal", + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "targetName": "Office 365 Management APIs", + "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "teamName": "MSODS.", + "version": "2" + }, "ModifiedProperties": { - "ServicePrincipal_Name": { - "OldValue": "", - "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585" - }, - "TargetId_ServicePrincipalNames": { - "OldValue": "", - "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" + "ServicePrincipal_AppId": { + "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "OldValue": "" }, "ServicePrincipal_DisplayName": { - "OldValue": "", - "NewValue": "siem" + "NewValue": "siem", + "OldValue": "" }, - "ServicePrincipal_AppId": { - "OldValue": "", - "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585" + "ServicePrincipal_Name": { + "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "OldValue": "" }, "ServicePrincipal_ObjectID": { - "OldValue": "", - "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23" + "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "OldValue": "" + }, + "TargetId_ServicePrincipalNames": { + "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "OldValue": "" } }, - "Version": "1", + "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ + "Target": [ { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 3, - "ID": "1003200096971F55" + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "ServicePrincipal", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 } ], - "CreationTime": "2020-02-10T15:17:00", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-10T15:17:00.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:47:58.413615435Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:17:00\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"b2484c3c-5461-43ab-850b-70fccf706796\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:17:00.2133065Z\"},{\"Name\":\"env_epoch\",\"Value\":\"OLE3R\"},{\"Name\":\"env_seqNum\",\"Value\":\"55908041\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##53a69eec-6bcd-473f-9c68-150d680e0776_00000000-0000-0000-0000-000000000000_53a69eec-6bcd-473f-9c68-150d680e0776\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR551\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"7bca6665-4d58-4df9-bd34-4d92e1fc63aa\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", - "id": "7bca6665-4d58-4df9-bd34-4d92e1fc63aa", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-10T15:17:00.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "7bca6665-4d58-4df9-bd34-4d92e1fc63aa", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:17:00\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"b2484c3c-5461-43ab-850b-70fccf706796\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:17:00.2133065Z\"},{\"Name\":\"env_epoch\",\"Value\":\"OLE3R\"},{\"Name\":\"env_seqNum\",\"Value\":\"55908041\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##53a69eec-6bcd-473f-9c68-150d680e0776_00000000-0000-0000-0000-000000000000_53a69eec-6bcd-473f-9c68-150d680e0776\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR551\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"7bca6665-4d58-4df9-bd34-4d92e1fc63aa\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "67.43.156.15", - "ExtendedProperties": { - "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "Office 365 Management APIs", - "env_appId": "restdirectoryservice", - "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", - "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-10T15:17:00.2133065Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", - "correlationId": "b2484c3c-5461-43ab-850b-70fccf706796", - "env_cloud_roleInstance": "AM5RRDSR551", - "env_cv": "##53a69eec-6bcd-473f-9c68-150d680e0776_00000000-0000-0000-0000-000000000000_53a69eec-6bcd-473f-9c68-150d680e0776", - "resultType": "Success", - "auditEventCategory": "ApplicationManagement", - "actorUPN": "asr@testsiem.onmicrosoft.com", - "env_popSample": "0", - "env_seqNum": "55908041", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", - "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "extendedAuditEventCategory": "ServicePrincipal", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", - "env_epoch": "OLE3R", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" - }, - "Target": [ + "Actor": [ { - "Type": 2, - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad" + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 }, { - "Type": 2, - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad" + "ID": "1003200096971F55", + "Type": 3 }, { - "Type": 2, - "ID": "ServicePrincipal" + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "Type": 1, - "ID": "Office 365 Management APIs" + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 2, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2" + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 4, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" + "ID": "User", + "Type": 2 } ], - "RecordType": "8", - "ModifiedProperties": { - "ServicePrincipal_Name": { - "OldValue": "", - "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585" - }, - "TargetId_ServicePrincipalNames": { - "OldValue": "", - "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" - }, - "ServicePrincipal_DisplayName": { - "OldValue": "", - "NewValue": "siem" - }, - "ServicePrincipal_AppId": { - "OldValue": "", - "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585" - }, - "ServicePrincipal_ObjectID": { - "OldValue": "", - "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23" - } - }, - "Version": "1", + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-10T15:17:00", + "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "actorObjectClass": "User", + "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", + "auditEventCategory": "ApplicationManagement", + "correlationId": "b2484c3c-5461-43ab-850b-70fccf706796", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", + "env_cloud_roleInstance": "AM5RRDSR551", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", + "env_cv": "##53a69eec-6bcd-473f-9c68-150d680e0776_00000000-0000-0000-0000-000000000000_53a69eec-6bcd-473f-9c68-150d680e0776", + "env_epoch": "OLE3R", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", + "env_popSample": "0", + "env_seqNum": "55908041", + "env_time": "2020-02-10T15:17:00.2133065Z", + "env_ver": "2.1", + "extendedAuditEventCategory": "ServicePrincipal", + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "targetName": "Office 365 Management APIs", + "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "teamName": "MSODS.", + "version": "2" + }, + "ModifiedProperties": { + "ServicePrincipal_AppId": { + "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "OldValue": "" + }, + "ServicePrincipal_DisplayName": { + "NewValue": "siem", + "OldValue": "" + }, + "ServicePrincipal_Name": { + "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "OldValue": "" + }, + "ServicePrincipal_ObjectID": { + "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "OldValue": "" + }, + "TargetId_ServicePrincipalNames": { + "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "OldValue": "" + } + }, + "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ + "Target": [ { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 3, - "ID": "1003200096971F55" + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "ServicePrincipal", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 } ], - "CreationTime": "2020-02-10T15:17:00", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-10T15:17:00.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:47:58.413616485Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:17:00\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"b2484c3c-5461-43ab-850b-70fccf706796\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:17:00.2133065Z\"},{\"Name\":\"env_epoch\",\"Value\":\"OLE3R\"},{\"Name\":\"env_seqNum\",\"Value\":\"55908041\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##53a69eec-6bcd-473f-9c68-150d680e0776_00000000-0000-0000-0000-000000000000_53a69eec-6bcd-473f-9c68-150d680e0776\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR551\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"7bca6665-4d58-4df9-bd34-4d92e1fc63aa\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", - "id": "7bca6665-4d58-4df9-bd34-4d92e1fc63aa", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-10T15:17:45.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Remove app role assignment from service principal.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "227bc85c-0c21-4df3-9e11-3a24f104e1e4", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:17:45\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"2f79971d-1802-40d2-b048-6cf4f85c010b\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:17:45.3474390Z\"},{\"Name\":\"env_epoch\",\"Value\":\"95CEL\"},{\"Name\":\"env_seqNum\",\"Value\":\"44735117\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR519\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"227bc85c-0c21-4df3-9e11-3a24f104e1e4\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Remove app role assignment from service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "67.43.156.15", - "ExtendedProperties": { - "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "Office 365 Management APIs", - "env_appId": "restdirectoryservice", - "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", - "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-10T15:17:45.3474390Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", - "correlationId": "2f79971d-1802-40d2-b048-6cf4f85c010b", - "env_cloud_roleInstance": "AM5RRDSR519", - "env_cv": "##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c", - "resultType": "Success", - "actorUPN": "asr@testsiem.onmicrosoft.com", - "auditEventCategory": "ApplicationManagement", - "env_popSample": "0", - "env_seqNum": "44735117", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", - "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "extendedAuditEventCategory": "ServicePrincipal", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", - "env_epoch": "95CEL", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" - }, - "Target": [ + "Actor": [ { - "Type": 2, - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad" + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 }, { - "Type": 2, - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad" + "ID": "1003200096971F55", + "Type": 3 }, { - "Type": 2, - "ID": "ServicePrincipal" + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "Type": 1, - "ID": "Office 365 Management APIs" + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 2, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2" + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 4, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" + "ID": "User", + "Type": 2 } ], - "RecordType": "8", + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-10T15:17:45", + "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "actorObjectClass": "User", + "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", + "auditEventCategory": "ApplicationManagement", + "correlationId": "2f79971d-1802-40d2-b048-6cf4f85c010b", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", + "env_cloud_roleInstance": "AM5RRDSR519", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", + "env_cv": "##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c", + "env_epoch": "95CEL", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", + "env_popSample": "0", + "env_seqNum": "44735117", + "env_time": "2020-02-10T15:17:45.3474390Z", + "env_ver": "2.1", + "extendedAuditEventCategory": "ServicePrincipal", + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "targetName": "Office 365 Management APIs", + "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "teamName": "MSODS.", + "version": "2" + }, "ModifiedProperties": { - "ServicePrincipal_Name": { - "OldValue": "", - "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585" - }, - "TargetId_ServicePrincipalNames": { - "OldValue": "", - "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" + "ServicePrincipal_AppId": { + "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "OldValue": "" }, "ServicePrincipal_DisplayName": { - "OldValue": "", - "NewValue": "siem" + "NewValue": "siem", + "OldValue": "" }, - "ServicePrincipal_AppId": { - "OldValue": "", - "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585" + "ServicePrincipal_Name": { + "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "OldValue": "" }, "ServicePrincipal_ObjectID": { - "OldValue": "", - "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23" + "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "OldValue": "" + }, + "TargetId_ServicePrincipalNames": { + "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "OldValue": "" } }, - "Version": "1", + "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ + "Target": [ { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 3, - "ID": "1003200096971F55" + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "ServicePrincipal", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 } ], - "CreationTime": "2020-02-10T15:17:45", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-10T15:17:45.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "source": { + "ip": "67.43.156.15" }, + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", + "target": { + "id": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" + } + } + }, + { + "@timestamp": "2020-02-10T15:17:45.000Z", "client": { "address": "67.43.156.15", "ip": "67.43.156.15" }, + "ecs": { + "version": "8.0.0" + }, "event": { - "ingested": "2022-01-02T03:47:58.413617547Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:17:45\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"2f79971d-1802-40d2-b048-6cf4f85c010b\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:17:45.3474390Z\"},{\"Name\":\"env_epoch\",\"Value\":\"95CEL\"},{\"Name\":\"env_seqNum\",\"Value\":\"44735117\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR519\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"227bc85c-0c21-4df3-9e11-3a24f104e1e4\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Remove app role assignment from service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "action": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", + "category": [ + "web" + ], "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", + "id": "a385881d-d5e8-47b0-83ea-d50d6c9906e4", "kind": "event", - "action": "Remove app role assignment from service principal.", - "id": "227bc85c-0c21-4df3-9e11-3a24f104e1e4", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:17:45\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"2f79971d-1802-40d2-b048-6cf4f85c010b\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:17:45.3474390Z\"},{\"Name\":\"env_epoch\",\"Value\":\"95CEL\"},{\"Name\":\"env_seqNum\",\"Value\":\"44735126\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR519\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"a385881d-d5e8-47b0-83ea-d50d6c9906e4\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", "type": [ "info" - ], - "category": [ - "web" - ], - "outcome": "success" + ] }, - "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com", - "target": { - "id": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" - } - } - }, - { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, - "ip": "67.43.156.15" + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, - "tags": [ - "preserve_original_event" - ], "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "67.43.156.15", - "ExtendedProperties": { - "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "Office 365 Management APIs", - "env_appId": "restdirectoryservice", - "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", - "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-10T15:17:45.3474390Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", - "correlationId": "2f79971d-1802-40d2-b048-6cf4f85c010b", - "env_cloud_roleInstance": "AM5RRDSR519", - "env_cv": "##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c", - "resultType": "Success", - "auditEventCategory": "ApplicationManagement", - "actorUPN": "asr@testsiem.onmicrosoft.com", - "env_popSample": "0", - "env_seqNum": "44735126", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", - "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "extendedAuditEventCategory": "ServicePrincipal", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", - "env_epoch": "95CEL", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" - }, - "Target": [ + "Actor": [ { - "Type": 2, - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad" + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 }, { - "Type": 2, - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad" + "ID": "1003200096971F55", + "Type": 3 }, { - "Type": 2, - "ID": "ServicePrincipal" + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "Type": 1, - "ID": "Office 365 Management APIs" + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 2, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2" + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 4, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" + "ID": "User", + "Type": 2 } ], - "RecordType": "8", + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-10T15:17:45", + "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "actorObjectClass": "User", + "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", + "auditEventCategory": "ApplicationManagement", + "correlationId": "2f79971d-1802-40d2-b048-6cf4f85c010b", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", + "env_cloud_roleInstance": "AM5RRDSR519", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", + "env_cv": "##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c", + "env_epoch": "95CEL", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", + "env_popSample": "0", + "env_seqNum": "44735126", + "env_time": "2020-02-10T15:17:45.3474390Z", + "env_ver": "2.1", + "extendedAuditEventCategory": "ServicePrincipal", + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "targetName": "Office 365 Management APIs", + "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "teamName": "MSODS.", + "version": "2" + }, "ModifiedProperties": { - "ServicePrincipal_Name": { - "OldValue": "", - "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585" - }, - "TargetId_ServicePrincipalNames": { - "OldValue": "", - "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" + "ServicePrincipal_AppId": { + "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "OldValue": "" }, "ServicePrincipal_DisplayName": { - "OldValue": "", - "NewValue": "siem" + "NewValue": "siem", + "OldValue": "" }, - "ServicePrincipal_AppId": { - "OldValue": "", - "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585" + "ServicePrincipal_Name": { + "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "OldValue": "" }, "ServicePrincipal_ObjectID": { - "OldValue": "", - "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23" + "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "OldValue": "" + }, + "TargetId_ServicePrincipalNames": { + "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "OldValue": "" } }, - "Version": "1", + "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ + "Target": [ { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 3, - "ID": "1003200096971F55" + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "ServicePrincipal", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 } ], - "CreationTime": "2020-02-10T15:17:45", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-10T15:17:45.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:47:58.413618602Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:17:45\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"2f79971d-1802-40d2-b048-6cf4f85c010b\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:17:45.3474390Z\"},{\"Name\":\"env_epoch\",\"Value\":\"95CEL\"},{\"Name\":\"env_seqNum\",\"Value\":\"44735126\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR519\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"a385881d-d5e8-47b0-83ea-d50d6c9906e4\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", - "id": "a385881d-d5e8-47b0-83ea-d50d6c9906e4", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-10T15:17:45.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "a385881d-d5e8-47b0-83ea-d50d6c9906e4", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:17:45\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"2f79971d-1802-40d2-b048-6cf4f85c010b\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:17:45.3474390Z\"},{\"Name\":\"env_epoch\",\"Value\":\"95CEL\"},{\"Name\":\"env_seqNum\",\"Value\":\"44735126\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR519\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"a385881d-d5e8-47b0-83ea-d50d6c9906e4\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-10T15:17:45", "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "Office 365 Management APIs", - "env_appId": "restdirectoryservice", - "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-10T15:17:45.3474390Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", + "auditEventCategory": "ApplicationManagement", "correlationId": "2f79971d-1802-40d2-b048-6cf4f85c010b", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", "env_cloud_roleInstance": "AM5RRDSR519", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", "env_cv": "##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c", - "resultType": "Success", - "auditEventCategory": "ApplicationManagement", - "actorUPN": "asr@testsiem.onmicrosoft.com", + "env_epoch": "95CEL", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", "env_popSample": "0", "env_seqNum": "44735126", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", + "env_time": "2020-02-10T15:17:45.3474390Z", "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", "extendedAuditEventCategory": "ServicePrincipal", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", - "env_epoch": "95CEL", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "targetName": "Office 365 Management APIs", + "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "teamName": "MSODS.", + "version": "2" }, - "Target": [ - { - "Type": 2, - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad" - }, - { - "Type": 2, - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad" - }, - { - "Type": 2, - "ID": "ServicePrincipal" - }, - { - "Type": 1, - "ID": "Office 365 Management APIs" - }, - { - "Type": 2, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2" - }, - { - "Type": 4, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" - } - ], - "RecordType": "8", "ModifiedProperties": { - "ServicePrincipal_Name": { - "OldValue": "", - "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585" - }, - "TargetId_ServicePrincipalNames": { - "OldValue": "", - "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" + "ServicePrincipal_AppId": { + "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "OldValue": "" }, "ServicePrincipal_DisplayName": { - "OldValue": "", - "NewValue": "siem" + "NewValue": "siem", + "OldValue": "" }, - "ServicePrincipal_AppId": { - "OldValue": "", - "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585" + "ServicePrincipal_Name": { + "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "OldValue": "" }, "ServicePrincipal_ObjectID": { - "OldValue": "", - "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23" + "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "OldValue": "" + }, + "TargetId_ServicePrincipalNames": { + "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "OldValue": "" } }, - "Version": "1", + "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ + "Target": [ { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 3, - "ID": "1003200096971F55" + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "ServicePrincipal", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 } ], - "CreationTime": "2020-02-10T15:17:45", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-10T15:17:45.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:47:58.413619960Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:17:45\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"2f79971d-1802-40d2-b048-6cf4f85c010b\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:17:45.3474390Z\"},{\"Name\":\"env_epoch\",\"Value\":\"95CEL\"},{\"Name\":\"env_seqNum\",\"Value\":\"44735126\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR519\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"a385881d-d5e8-47b0-83ea-d50d6c9906e4\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", - "id": "a385881d-d5e8-47b0-83ea-d50d6c9906e4", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-10T15:17:45.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Remove app role assignment from service principal.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "227bc85c-0c21-4df3-9e11-3a24f104e1e4", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:17:45\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"2f79971d-1802-40d2-b048-6cf4f85c010b\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:17:45.3474390Z\"},{\"Name\":\"env_epoch\",\"Value\":\"95CEL\"},{\"Name\":\"env_seqNum\",\"Value\":\"44735117\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR519\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"227bc85c-0c21-4df3-9e11-3a24f104e1e4\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Remove app role assignment from service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-10T15:17:45", "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "Office 365 Management APIs", - "env_appId": "restdirectoryservice", - "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-10T15:17:45.3474390Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", + "auditEventCategory": "ApplicationManagement", "correlationId": "2f79971d-1802-40d2-b048-6cf4f85c010b", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", "env_cloud_roleInstance": "AM5RRDSR519", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", "env_cv": "##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c", - "resultType": "Success", - "actorUPN": "asr@testsiem.onmicrosoft.com", - "auditEventCategory": "ApplicationManagement", + "env_epoch": "95CEL", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", "env_popSample": "0", "env_seqNum": "44735117", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", + "env_time": "2020-02-10T15:17:45.3474390Z", "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", "extendedAuditEventCategory": "ServicePrincipal", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", - "env_epoch": "95CEL", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "targetName": "Office 365 Management APIs", + "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "teamName": "MSODS.", + "version": "2" + }, + "ModifiedProperties": { + "ServicePrincipal_AppId": { + "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "OldValue": "" + }, + "ServicePrincipal_DisplayName": { + "NewValue": "siem", + "OldValue": "" + }, + "ServicePrincipal_Name": { + "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "OldValue": "" + }, + "ServicePrincipal_ObjectID": { + "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "OldValue": "" + }, + "TargetId_ServicePrincipalNames": { + "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "OldValue": "" + } }, + "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "RecordType": "8", + "ResultStatus": "Success", + "SupportTicketId": "", "Target": [ { - "Type": 2, - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad" + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 2, - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad" + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 2, - "ID": "ServicePrincipal" + "ID": "ServicePrincipal", + "Type": 2 }, { - "Type": 1, - "ID": "Office 365 Management APIs" + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "Type": 2, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "Type": 4, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 } ], - "RecordType": "8", - "ModifiedProperties": { - "ServicePrincipal_Name": { - "OldValue": "", - "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585" - }, - "TargetId_ServicePrincipalNames": { - "OldValue": "", - "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" - }, - "ServicePrincipal_DisplayName": { - "OldValue": "", - "NewValue": "siem" - }, - "ServicePrincipal_AppId": { - "OldValue": "", - "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585" - }, - "ServicePrincipal_ObjectID": { - "OldValue": "", - "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23" - } - }, - "Version": "1", - "SupportTicketId": "", "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ - { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" - }, - { - "Type": 3, - "ID": "1003200096971F55" - }, - { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" - }, - { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" - }, - { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" - }, - { - "Type": 2, - "ID": "User" - } - ], - "CreationTime": "2020-02-10T15:17:45", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-10T15:17:45.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:47:58.413621027Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:17:45\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"2f79971d-1802-40d2-b048-6cf4f85c010b\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:17:45.3474390Z\"},{\"Name\":\"env_epoch\",\"Value\":\"95CEL\"},{\"Name\":\"env_seqNum\",\"Value\":\"44735117\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR519\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"227bc85c-0c21-4df3-9e11-3a24f104e1e4\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Remove app role assignment from service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Remove app role assignment from service principal.", - "id": "227bc85c-0c21-4df3-9e11-3a24f104e1e4", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-10T15:17:45.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Remove app role assignment from service principal.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "227bc85c-0c21-4df3-9e11-3a24f104e1e4", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:17:45\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"2f79971d-1802-40d2-b048-6cf4f85c010b\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:17:45.3474390Z\"},{\"Name\":\"env_epoch\",\"Value\":\"95CEL\"},{\"Name\":\"env_seqNum\",\"Value\":\"44735117\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR519\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"227bc85c-0c21-4df3-9e11-3a24f104e1e4\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Remove app role assignment from service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "67.43.156.15", - "ExtendedProperties": { - "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "Office 365 Management APIs", - "env_appId": "restdirectoryservice", - "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", - "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-10T15:17:45.3474390Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", - "correlationId": "2f79971d-1802-40d2-b048-6cf4f85c010b", - "env_cloud_roleInstance": "AM5RRDSR519", - "env_cv": "##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c", - "resultType": "Success", - "actorUPN": "asr@testsiem.onmicrosoft.com", - "auditEventCategory": "ApplicationManagement", - "env_popSample": "0", - "env_seqNum": "44735117", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", - "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "extendedAuditEventCategory": "ServicePrincipal", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", - "env_epoch": "95CEL", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" - }, - "Target": [ + "Actor": [ { - "Type": 2, - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad" + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 }, { - "Type": 2, - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad" + "ID": "1003200096971F55", + "Type": 3 }, { - "Type": 2, - "ID": "ServicePrincipal" + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "Type": 1, - "ID": "Office 365 Management APIs" + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 2, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2" + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 4, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" + "ID": "User", + "Type": 2 } ], - "RecordType": "8", + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-10T15:17:45", + "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "actorObjectClass": "User", + "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", + "auditEventCategory": "ApplicationManagement", + "correlationId": "2f79971d-1802-40d2-b048-6cf4f85c010b", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", + "env_cloud_roleInstance": "AM5RRDSR519", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", + "env_cv": "##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c", + "env_epoch": "95CEL", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", + "env_popSample": "0", + "env_seqNum": "44735117", + "env_time": "2020-02-10T15:17:45.3474390Z", + "env_ver": "2.1", + "extendedAuditEventCategory": "ServicePrincipal", + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "targetName": "Office 365 Management APIs", + "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "teamName": "MSODS.", + "version": "2" + }, "ModifiedProperties": { - "ServicePrincipal_Name": { - "OldValue": "", - "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585" - }, - "TargetId_ServicePrincipalNames": { - "OldValue": "", - "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" + "ServicePrincipal_AppId": { + "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "OldValue": "" }, "ServicePrincipal_DisplayName": { - "OldValue": "", - "NewValue": "siem" + "NewValue": "siem", + "OldValue": "" }, - "ServicePrincipal_AppId": { - "OldValue": "", - "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585" + "ServicePrincipal_Name": { + "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "OldValue": "" }, "ServicePrincipal_ObjectID": { - "OldValue": "", - "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23" + "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "OldValue": "" + }, + "TargetId_ServicePrincipalNames": { + "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "OldValue": "" } }, - "Version": "1", + "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ + "Target": [ { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 3, - "ID": "1003200096971F55" + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "ServicePrincipal", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 } ], - "CreationTime": "2020-02-10T15:17:45", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-10T15:17:45.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:47:58.413622008Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:17:45\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"2f79971d-1802-40d2-b048-6cf4f85c010b\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:17:45.3474390Z\"},{\"Name\":\"env_epoch\",\"Value\":\"95CEL\"},{\"Name\":\"env_seqNum\",\"Value\":\"44735117\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR519\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"227bc85c-0c21-4df3-9e11-3a24f104e1e4\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Remove app role assignment from service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Remove app role assignment from service principal.", - "id": "227bc85c-0c21-4df3-9e11-3a24f104e1e4", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-10T15:17:45.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], - "network": { - "type": "ipv4" + "ecs": { + "version": "8.0.0" }, - "o365": { - "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "67.43.156.15", - "ExtendedProperties": { - "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "Office 365 Management APIs", - "env_appId": "restdirectoryservice", - "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", - "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-10T15:17:45.3474390Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", - "correlationId": "2f79971d-1802-40d2-b048-6cf4f85c010b", - "env_cloud_roleInstance": "AM5RRDSR519", - "env_cv": "##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c", - "resultType": "Success", - "auditEventCategory": "ApplicationManagement", - "actorUPN": "asr@testsiem.onmicrosoft.com", - "env_popSample": "0", - "env_seqNum": "44735126", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", - "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "extendedAuditEventCategory": "ServicePrincipal", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", - "env_epoch": "95CEL", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" - }, - "Target": [ + "event": { + "action": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "a385881d-d5e8-47b0-83ea-d50d6c9906e4", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:17:45\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"2f79971d-1802-40d2-b048-6cf4f85c010b\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:17:45.3474390Z\"},{\"Name\":\"env_epoch\",\"Value\":\"95CEL\"},{\"Name\":\"env_seqNum\",\"Value\":\"44735126\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR519\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"a385881d-d5e8-47b0-83ea-d50d6c9906e4\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, + "network": { + "type": "ipv4" + }, + "o365": { + "audit": { + "Actor": [ { - "Type": 2, - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad" + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 }, { - "Type": 2, - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad" + "ID": "1003200096971F55", + "Type": 3 }, { - "Type": 2, - "ID": "ServicePrincipal" + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "Type": 1, - "ID": "Office 365 Management APIs" + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 2, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2" + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 4, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" + "ID": "User", + "Type": 2 } ], - "RecordType": "8", + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-10T15:17:45", + "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "actorObjectClass": "User", + "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", + "auditEventCategory": "ApplicationManagement", + "correlationId": "2f79971d-1802-40d2-b048-6cf4f85c010b", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", + "env_cloud_roleInstance": "AM5RRDSR519", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", + "env_cv": "##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c", + "env_epoch": "95CEL", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", + "env_popSample": "0", + "env_seqNum": "44735126", + "env_time": "2020-02-10T15:17:45.3474390Z", + "env_ver": "2.1", + "extendedAuditEventCategory": "ServicePrincipal", + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "targetName": "Office 365 Management APIs", + "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "teamName": "MSODS.", + "version": "2" + }, "ModifiedProperties": { - "ServicePrincipal_Name": { - "OldValue": "", - "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585" - }, - "TargetId_ServicePrincipalNames": { - "OldValue": "", - "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" + "ServicePrincipal_AppId": { + "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "OldValue": "" }, "ServicePrincipal_DisplayName": { - "OldValue": "", - "NewValue": "siem" + "NewValue": "siem", + "OldValue": "" }, - "ServicePrincipal_AppId": { - "OldValue": "", - "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585" + "ServicePrincipal_Name": { + "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "OldValue": "" }, "ServicePrincipal_ObjectID": { - "OldValue": "", - "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23" + "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "OldValue": "" + }, + "TargetId_ServicePrincipalNames": { + "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "OldValue": "" } }, - "Version": "1", + "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ + "Target": [ { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 3, - "ID": "1003200096971F55" + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "ServicePrincipal", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 } ], - "CreationTime": "2020-02-10T15:17:45", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-10T15:17:45.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:47:58.413622903Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:17:45\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"2f79971d-1802-40d2-b048-6cf4f85c010b\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:17:45.3474390Z\"},{\"Name\":\"env_epoch\",\"Value\":\"95CEL\"},{\"Name\":\"env_seqNum\",\"Value\":\"44735126\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR519\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"a385881d-d5e8-47b0-83ea-d50d6c9906e4\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", - "id": "a385881d-d5e8-47b0-83ea-d50d6c9906e4", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-10T15:17:45.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "a385881d-d5e8-47b0-83ea-d50d6c9906e4", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:17:45\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"2f79971d-1802-40d2-b048-6cf4f85c010b\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:17:45.3474390Z\"},{\"Name\":\"env_epoch\",\"Value\":\"95CEL\"},{\"Name\":\"env_seqNum\",\"Value\":\"44735126\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR519\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"a385881d-d5e8-47b0-83ea-d50d6c9906e4\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "67.43.156.15", - "ExtendedProperties": { - "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "Office 365 Management APIs", - "env_appId": "restdirectoryservice", - "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", - "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-10T15:17:45.3474390Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", - "correlationId": "2f79971d-1802-40d2-b048-6cf4f85c010b", - "env_cloud_roleInstance": "AM5RRDSR519", - "env_cv": "##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c", - "resultType": "Success", - "auditEventCategory": "ApplicationManagement", - "actorUPN": "asr@testsiem.onmicrosoft.com", - "env_popSample": "0", - "env_seqNum": "44735126", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", - "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "extendedAuditEventCategory": "ServicePrincipal", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", - "env_epoch": "95CEL", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" - }, - "Target": [ + "Actor": [ { - "Type": 2, - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad" + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 }, { - "Type": 2, - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad" + "ID": "1003200096971F55", + "Type": 3 }, { - "Type": 2, - "ID": "ServicePrincipal" + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "Type": 1, - "ID": "Office 365 Management APIs" + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 2, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2" + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 4, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" + "ID": "User", + "Type": 2 } ], - "RecordType": "8", - "ModifiedProperties": { - "ServicePrincipal_Name": { - "OldValue": "", - "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585" - }, - "TargetId_ServicePrincipalNames": { - "OldValue": "", - "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" - }, - "ServicePrincipal_DisplayName": { - "OldValue": "", - "NewValue": "siem" - }, - "ServicePrincipal_AppId": { - "OldValue": "", - "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585" - }, - "ServicePrincipal_ObjectID": { - "OldValue": "", - "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23" - } - }, - "Version": "1", - "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-10T15:17:45", + "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "actorObjectClass": "User", + "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", + "auditEventCategory": "ApplicationManagement", + "correlationId": "2f79971d-1802-40d2-b048-6cf4f85c010b", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", + "env_cloud_roleInstance": "AM5RRDSR519", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", + "env_cv": "##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c", + "env_epoch": "95CEL", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", + "env_popSample": "0", + "env_seqNum": "44735126", + "env_time": "2020-02-10T15:17:45.3474390Z", + "env_ver": "2.1", + "extendedAuditEventCategory": "ServicePrincipal", + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "targetName": "Office 365 Management APIs", + "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "teamName": "MSODS.", + "version": "2" + }, + "ModifiedProperties": { + "ServicePrincipal_AppId": { + "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "OldValue": "" + }, + "ServicePrincipal_DisplayName": { + "NewValue": "siem", + "OldValue": "" + }, + "ServicePrincipal_Name": { + "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "OldValue": "" + }, + "ServicePrincipal_ObjectID": { + "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "OldValue": "" + }, + "TargetId_ServicePrincipalNames": { + "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "OldValue": "" + } + }, + "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "RecordType": "8", + "ResultStatus": "Success", + "SupportTicketId": "", + "Target": [ { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 3, - "ID": "1003200096971F55" + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "ServicePrincipal", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 } ], - "CreationTime": "2020-02-10T15:17:45", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-10T15:17:45.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:47:58.413623995Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:17:45\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"2f79971d-1802-40d2-b048-6cf4f85c010b\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:17:45.3474390Z\"},{\"Name\":\"env_epoch\",\"Value\":\"95CEL\"},{\"Name\":\"env_seqNum\",\"Value\":\"44735126\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##7680db8f-eddb-4082-952a-0a3cfafd117c_00000000-0000-0000-0000-000000000000_7680db8f-eddb-4082-952a-0a3cfafd117c\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR519\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"a385881d-d5e8-47b0-83ea-d50d6c9906e4\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add a deletion-marked app role assignment grant to service principal as part of link removal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Add a deletion-marked app role assignment grant to service principal as part of link removal.", - "id": "a385881d-d5e8-47b0-83ea-d50d6c9906e4", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-10T15:30:06.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Consent to application.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "0031778a-80cf-49f8-aea2-f798c9bf1ec9", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:30:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ConsentContext.IsAdminConsent\\\",\\\"ConsentContext.IsAppOnly\\\",\\\"ConsentContext.OnBehalfOfAll\\\",\\\"ConsentContext.Tags\\\",\\\"ConsentAction.Permissions\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"654d7080-aee6-4826-abd9-c5710b336614\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:30:06.3393756Z\"},{\"Name\":\"env_epoch\",\"Value\":\"38FW7\"},{\"Name\":\"env_seqNum\",\"Value\":\"43118027\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR57\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"0031778a-80cf-49f8-aea2-f798c9bf1ec9\",\"ModifiedProperties\":[{\"Name\":\"ConsentContext.IsAdminConsent\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.IsAppOnly\",\"NewValue\":\"False\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.OnBehalfOfAll\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.Tags\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ConsentAction.Permissions\",\"NewValue\":\"[] =\\u003e [[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; \",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"}],\"ObjectId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Operation\":\"Consent to application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":2},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "71a0194b-b70c-44a6-82f2-d4670aee4585", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "67.43.156.15", - "ExtendedProperties": { - "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "siem", - "env_appId": "restdirectoryservice", - "targetSPN": "71a0194b-b70c-44a6-82f2-d4670aee4585", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", - "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-10T15:30:06.3393756Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "5c242833-909c-4c6b-bca3-50feaaa98d23", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", - "correlationId": "654d7080-aee6-4826-abd9-c5710b336614", - "env_cloud_roleInstance": "AM5RRDSR57", - "env_cv": "##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78", - "resultType": "Success", - "auditEventCategory": "ApplicationManagement", - "actorUPN": "asr@testsiem.onmicrosoft.com", - "env_popSample": "0", - "env_seqNum": "43118027", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", - "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"ConsentContext.IsAdminConsent\",\"ConsentContext.IsAppOnly\",\"ConsentContext.OnBehalfOfAll\",\"ConsentContext.Tags\",\"ConsentAction.Permissions\",\"TargetId.ServicePrincipalNames\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "extendedAuditEventCategory": "ServicePrincipal", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "env_epoch": "38FW7", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" - }, - "Target": [ + "Actor": [ { - "Type": 2, - "ID": "ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23" + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 }, { - "Type": 2, - "ID": "5c242833-909c-4c6b-bca3-50feaaa98d23" + "ID": "1003200096971F55", + "Type": 3 }, { - "Type": 2, - "ID": "ServicePrincipal" + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "Type": 1, - "ID": "siem" + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 2, - "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585" + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 4, - "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585" + "ID": "User", + "Type": 2 } ], - "RecordType": "8", + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-10T15:30:06", + "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "actorObjectClass": "User", + "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "auditEventCategory": "ApplicationManagement", + "correlationId": "654d7080-aee6-4826-abd9-c5710b336614", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", + "env_cloud_roleInstance": "AM5RRDSR57", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", + "env_cv": "##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78", + "env_epoch": "38FW7", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", + "env_popSample": "0", + "env_seqNum": "43118027", + "env_time": "2020-02-10T15:30:06.3393756Z", + "env_ver": "2.1", + "extendedAuditEventCategory": "ServicePrincipal", + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"ConsentContext.IsAdminConsent\",\"ConsentContext.IsAppOnly\",\"ConsentContext.OnBehalfOfAll\",\"ConsentContext.Tags\",\"ConsentAction.Permissions\",\"TargetId.ServicePrincipalNames\"]", + "targetName": "siem", + "targetObjectId": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "targetSPN": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "teamName": "MSODS.", + "version": "2" + }, "ModifiedProperties": { - "ConsentContext_OnBehalfOfAll": { - "OldValue": "", - "NewValue": "True" - }, "ConsentAction_Permissions": { - "OldValue": "", - "NewValue": "[] =\u003e [[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; " + "NewValue": "[] =\u003e [[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; ", + "OldValue": "" }, - "TargetId_ServicePrincipalNames": { - "OldValue": "", - "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585" + "ConsentContext_IsAdminConsent": { + "NewValue": "True", + "OldValue": "" }, "ConsentContext_IsAppOnly": { - "OldValue": "", - "NewValue": "False" + "NewValue": "False", + "OldValue": "" + }, + "ConsentContext_OnBehalfOfAll": { + "NewValue": "True", + "OldValue": "" }, "ConsentContext_Tags": { - "OldValue": "", - "NewValue": "" + "NewValue": "", + "OldValue": "" }, - "ConsentContext_IsAdminConsent": { - "OldValue": "", - "NewValue": "True" + "TargetId_ServicePrincipalNames": { + "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "OldValue": "" } }, - "Version": "1", + "ObjectId": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ + "Target": [ { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" + "ID": "ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23", + "Type": 2 }, { - "Type": 3, - "ID": "1003200096971F55" + "ID": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "Type": 2 }, { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "ServicePrincipal", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "siem", + "Type": 1 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "Type": 4 } ], - "CreationTime": "2020-02-10T15:30:06", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-10T15:30:06.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "source": { + "ip": "67.43.156.15" }, + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", + "target": { + "id": "71a0194b-b70c-44a6-82f2-d4670aee4585" + } + } + }, + { + "@timestamp": "2020-02-10T15:30:06.000Z", "client": { "address": "67.43.156.15", "ip": "67.43.156.15" }, + "ecs": { + "version": "8.0.0" + }, "event": { - "ingested": "2022-01-02T03:47:58.413624972Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:30:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ConsentContext.IsAdminConsent\\\",\\\"ConsentContext.IsAppOnly\\\",\\\"ConsentContext.OnBehalfOfAll\\\",\\\"ConsentContext.Tags\\\",\\\"ConsentAction.Permissions\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"654d7080-aee6-4826-abd9-c5710b336614\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:30:06.3393756Z\"},{\"Name\":\"env_epoch\",\"Value\":\"38FW7\"},{\"Name\":\"env_seqNum\",\"Value\":\"43118027\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR57\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"0031778a-80cf-49f8-aea2-f798c9bf1ec9\",\"ModifiedProperties\":[{\"Name\":\"ConsentContext.IsAdminConsent\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.IsAppOnly\",\"NewValue\":\"False\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.OnBehalfOfAll\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.Tags\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ConsentAction.Permissions\",\"NewValue\":\"[] =\\u003e [[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; \",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"}],\"ObjectId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Operation\":\"Consent to application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":2},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", "action": "Consent to application.", - "id": "0031778a-80cf-49f8-aea2-f798c9bf1ec9", - "type": [ - "info" - ], "category": [ "web" ], - "outcome": "success" + "code": "AzureActiveDirectory", + "id": "0031778a-80cf-49f8-aea2-f798c9bf1ec9", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:30:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ConsentContext.IsAdminConsent\\\",\\\"ConsentContext.IsAppOnly\\\",\\\"ConsentContext.OnBehalfOfAll\\\",\\\"ConsentContext.Tags\\\",\\\"ConsentAction.Permissions\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"654d7080-aee6-4826-abd9-c5710b336614\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:30:06.3393756Z\"},{\"Name\":\"env_epoch\",\"Value\":\"38FW7\"},{\"Name\":\"env_seqNum\",\"Value\":\"43118027\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR57\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"0031778a-80cf-49f8-aea2-f798c9bf1ec9\",\"ModifiedProperties\":[{\"Name\":\"ConsentContext.IsAdminConsent\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.IsAppOnly\",\"NewValue\":\"False\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.OnBehalfOfAll\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.Tags\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ConsentAction.Permissions\",\"NewValue\":\"[] =\\u003e [[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; \",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"}],\"ObjectId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Operation\":\"Consent to application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":2},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] }, - "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com", - "target": { - "id": "71a0194b-b70c-44a6-82f2-d4670aee4585" - } - } - }, - { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, - "ip": "67.43.156.15" + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, - "tags": [ - "preserve_original_event" - ], "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "71a0194b-b70c-44a6-82f2-d4670aee4585", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "67.43.156.15", - "ExtendedProperties": { - "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "siem", - "env_appId": "restdirectoryservice", - "targetSPN": "71a0194b-b70c-44a6-82f2-d4670aee4585", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", - "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-10T15:30:06.3393756Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "5c242833-909c-4c6b-bca3-50feaaa98d23", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", - "correlationId": "654d7080-aee6-4826-abd9-c5710b336614", - "env_cloud_roleInstance": "AM5RRDSR57", - "env_cv": "##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78", - "resultType": "Success", - "auditEventCategory": "ApplicationManagement", - "actorUPN": "asr@testsiem.onmicrosoft.com", - "env_popSample": "0", - "env_seqNum": "43118027", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", - "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"ConsentContext.IsAdminConsent\",\"ConsentContext.IsAppOnly\",\"ConsentContext.OnBehalfOfAll\",\"ConsentContext.Tags\",\"ConsentAction.Permissions\",\"TargetId.ServicePrincipalNames\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "extendedAuditEventCategory": "ServicePrincipal", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "env_epoch": "38FW7", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" - }, - "Target": [ + "Actor": [ { - "Type": 2, - "ID": "ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23" + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 }, { - "Type": 2, - "ID": "5c242833-909c-4c6b-bca3-50feaaa98d23" + "ID": "1003200096971F55", + "Type": 3 }, { - "Type": 2, - "ID": "ServicePrincipal" + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "Type": 1, - "ID": "siem" + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 2, - "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585" + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 4, - "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585" + "ID": "User", + "Type": 2 } ], - "RecordType": "8", + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-10T15:30:06", + "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "actorObjectClass": "User", + "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "auditEventCategory": "ApplicationManagement", + "correlationId": "654d7080-aee6-4826-abd9-c5710b336614", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", + "env_cloud_roleInstance": "AM5RRDSR57", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", + "env_cv": "##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78", + "env_epoch": "38FW7", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", + "env_popSample": "0", + "env_seqNum": "43118027", + "env_time": "2020-02-10T15:30:06.3393756Z", + "env_ver": "2.1", + "extendedAuditEventCategory": "ServicePrincipal", + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"ConsentContext.IsAdminConsent\",\"ConsentContext.IsAppOnly\",\"ConsentContext.OnBehalfOfAll\",\"ConsentContext.Tags\",\"ConsentAction.Permissions\",\"TargetId.ServicePrincipalNames\"]", + "targetName": "siem", + "targetObjectId": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "targetSPN": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "teamName": "MSODS.", + "version": "2" + }, "ModifiedProperties": { - "ConsentContext_OnBehalfOfAll": { - "OldValue": "", - "NewValue": "True" - }, "ConsentAction_Permissions": { - "OldValue": "", - "NewValue": "[] =\u003e [[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; " + "NewValue": "[] =\u003e [[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; ", + "OldValue": "" }, - "TargetId_ServicePrincipalNames": { - "OldValue": "", - "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585" + "ConsentContext_IsAdminConsent": { + "NewValue": "True", + "OldValue": "" }, "ConsentContext_IsAppOnly": { - "OldValue": "", - "NewValue": "False" + "NewValue": "False", + "OldValue": "" + }, + "ConsentContext_OnBehalfOfAll": { + "NewValue": "True", + "OldValue": "" }, "ConsentContext_Tags": { - "OldValue": "", - "NewValue": "" + "NewValue": "", + "OldValue": "" }, - "ConsentContext_IsAdminConsent": { - "OldValue": "", - "NewValue": "True" + "TargetId_ServicePrincipalNames": { + "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "OldValue": "" } }, - "Version": "1", + "ObjectId": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ + "Target": [ { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" + "ID": "ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23", + "Type": 2 }, { - "Type": 3, - "ID": "1003200096971F55" + "ID": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "Type": 2 }, { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "ServicePrincipal", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "siem", + "Type": 1 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "Type": 4 } ], - "CreationTime": "2020-02-10T15:30:06", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-10T15:30:06.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:47:58.413626011Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:30:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"},{\"Name\":\"targetName\",\"Value\":\"siem\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ConsentContext.IsAdminConsent\\\",\\\"ConsentContext.IsAppOnly\\\",\\\"ConsentContext.OnBehalfOfAll\\\",\\\"ConsentContext.Tags\\\",\\\"ConsentAction.Permissions\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"654d7080-aee6-4826-abd9-c5710b336614\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:30:06.3393756Z\"},{\"Name\":\"env_epoch\",\"Value\":\"38FW7\"},{\"Name\":\"env_seqNum\",\"Value\":\"43118027\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR57\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"0031778a-80cf-49f8-aea2-f798c9bf1ec9\",\"ModifiedProperties\":[{\"Name\":\"ConsentContext.IsAdminConsent\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.IsAppOnly\",\"NewValue\":\"False\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.OnBehalfOfAll\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.Tags\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ConsentAction.Permissions\",\"NewValue\":\"[] =\\u003e [[Id: MygkXJyQa0y8o1D-qqmNI_mOUpib6JpGsZv6jnKgD6Y, ClientId: 5c242833-909c-4c6b-bca3-50feaaa98d23, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; \",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"}],\"ObjectId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Operation\":\"Consent to application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem\",\"Type\":1},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":2},{\"ID\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Consent to application.", - "id": "0031778a-80cf-49f8-aea2-f798c9bf1ec9", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "71a0194b-b70c-44a6-82f2-d4670aee4585" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-10T15:30:06.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Add OAuth2PermissionGrant.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "ad12e6ca-cb87-4bc5-8103-dbc83cb9a4f8", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:30:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"},{\"Name\":\"targetName\",\"Value\":\"Microsoft Graph\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"654d7080-aee6-4826-abd9-c5710b336614\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:30:06.3343965Z\"},{\"Name\":\"env_epoch\",\"Value\":\"38FW7\"},{\"Name\":\"env_seqNum\",\"Value\":\"43118019\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR57\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"ad12e6ca-cb87-4bc5-8103-dbc83cb9a4f8\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"OldValue\":\"\"}],\"ObjectId\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Operation\":\"Add OAuth2PermissionGrant.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Microsoft Graph\",\"Type\":1},{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":2},{\"ID\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-10T15:30:06", "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "Microsoft Graph", - "env_appId": "restdirectoryservice", - "targetSPN": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-10T15:30:06.3343965Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "98528ef9-e89b-469a-b19b-fa8e72a00fa6", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":null,\"ObjectClass\":\"ServicePrincipal\",\"AppId\":null,\"Name\":null}]", + "auditEventCategory": "ApplicationManagement", "correlationId": "654d7080-aee6-4826-abd9-c5710b336614", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", "env_cloud_roleInstance": "AM5RRDSR57", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", "env_cv": "##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78", - "resultType": "Success", - "auditEventCategory": "ApplicationManagement", - "actorUPN": "asr@testsiem.onmicrosoft.com", + "env_epoch": "38FW7", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", "env_popSample": "0", "env_seqNum": "43118019", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", + "env_time": "2020-02-10T15:30:06.3343965Z", "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", "extendedAuditEventCategory": "ServicePrincipal", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":null,\"ObjectClass\":\"ServicePrincipal\",\"AppId\":null,\"Name\":null}]", - "env_epoch": "38FW7", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "targetName": "Microsoft Graph", + "targetObjectId": "98528ef9-e89b-469a-b19b-fa8e72a00fa6", + "targetSPN": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", + "teamName": "MSODS.", + "version": "2" }, - "Target": [ - { - "Type": 2, - "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6" - }, - { - "Type": 2, - "ID": "98528ef9-e89b-469a-b19b-fa8e72a00fa6" - }, - { - "Type": 2, - "ID": "ServicePrincipal" - }, - { - "Type": 1, - "ID": "Microsoft Graph" - }, - { - "Type": 2, - "ID": "00000003-0000-0000-c000-000000000000" - }, - { - "Type": 4, - "ID": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us" - } - ], - "RecordType": "8", "ModifiedProperties": { - "ServicePrincipal_Name": { - "OldValue": "", - "NewValue": "" - }, - "TargetId_ServicePrincipalNames": { - "OldValue": "", - "NewValue": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us" + "ServicePrincipal_AppId": { + "NewValue": "", + "OldValue": "" }, "ServicePrincipal_DisplayName": { - "OldValue": "", - "NewValue": "" + "NewValue": "", + "OldValue": "" }, - "ServicePrincipal_AppId": { - "OldValue": "", - "NewValue": "" + "ServicePrincipal_Name": { + "NewValue": "", + "OldValue": "" }, "ServicePrincipal_ObjectID": { - "OldValue": "", - "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23" + "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "OldValue": "" + }, + "TargetId_ServicePrincipalNames": { + "NewValue": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", + "OldValue": "" } }, - "Version": "1", + "ObjectId": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ + "Target": [ { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" + "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6", + "Type": 2 }, { - "Type": 3, - "ID": "1003200096971F55" + "ID": "98528ef9-e89b-469a-b19b-fa8e72a00fa6", + "Type": 2 }, { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "ServicePrincipal", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "Microsoft Graph", + "Type": 1 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "00000003-0000-0000-c000-000000000000", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", + "Type": 4 } ], - "CreationTime": "2020-02-10T15:30:06", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-10T15:30:06.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:47:58.413627035Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:30:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"},{\"Name\":\"targetName\",\"Value\":\"Microsoft Graph\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"654d7080-aee6-4826-abd9-c5710b336614\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:30:06.3343965Z\"},{\"Name\":\"env_epoch\",\"Value\":\"38FW7\"},{\"Name\":\"env_seqNum\",\"Value\":\"43118019\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR57\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"ad12e6ca-cb87-4bc5-8103-dbc83cb9a4f8\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"OldValue\":\"\"}],\"ObjectId\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Operation\":\"Add OAuth2PermissionGrant.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Microsoft Graph\",\"Type\":1},{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":2},{\"ID\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Add OAuth2PermissionGrant.", - "id": "ad12e6ca-cb87-4bc5-8103-dbc83cb9a4f8", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-10T15:30:06.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Add OAuth2PermissionGrant.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "ad12e6ca-cb87-4bc5-8103-dbc83cb9a4f8", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:30:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"},{\"Name\":\"targetName\",\"Value\":\"Microsoft Graph\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"654d7080-aee6-4826-abd9-c5710b336614\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:30:06.3343965Z\"},{\"Name\":\"env_epoch\",\"Value\":\"38FW7\"},{\"Name\":\"env_seqNum\",\"Value\":\"43118019\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR57\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"ad12e6ca-cb87-4bc5-8103-dbc83cb9a4f8\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"OldValue\":\"\"}],\"ObjectId\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Operation\":\"Add OAuth2PermissionGrant.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Microsoft Graph\",\"Type\":1},{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":2},{\"ID\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-10T15:30:06", "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "Microsoft Graph", - "env_appId": "restdirectoryservice", - "targetSPN": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-10T15:30:06.3343965Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "98528ef9-e89b-469a-b19b-fa8e72a00fa6", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":null,\"ObjectClass\":\"ServicePrincipal\",\"AppId\":null,\"Name\":null}]", + "auditEventCategory": "ApplicationManagement", "correlationId": "654d7080-aee6-4826-abd9-c5710b336614", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", "env_cloud_roleInstance": "AM5RRDSR57", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", "env_cv": "##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78", - "resultType": "Success", - "auditEventCategory": "ApplicationManagement", - "actorUPN": "asr@testsiem.onmicrosoft.com", + "env_epoch": "38FW7", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", "env_popSample": "0", "env_seqNum": "43118019", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", + "env_time": "2020-02-10T15:30:06.3343965Z", "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", "extendedAuditEventCategory": "ServicePrincipal", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":null,\"ObjectClass\":\"ServicePrincipal\",\"AppId\":null,\"Name\":null}]", - "env_epoch": "38FW7", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "targetName": "Microsoft Graph", + "targetObjectId": "98528ef9-e89b-469a-b19b-fa8e72a00fa6", + "targetSPN": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", + "teamName": "MSODS.", + "version": "2" + }, + "ModifiedProperties": { + "ServicePrincipal_AppId": { + "NewValue": "", + "OldValue": "" + }, + "ServicePrincipal_DisplayName": { + "NewValue": "", + "OldValue": "" + }, + "ServicePrincipal_Name": { + "NewValue": "", + "OldValue": "" + }, + "ServicePrincipal_ObjectID": { + "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "OldValue": "" + }, + "TargetId_ServicePrincipalNames": { + "NewValue": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", + "OldValue": "" + } }, + "ObjectId": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", + "RecordType": "8", + "ResultStatus": "Success", + "SupportTicketId": "", "Target": [ { - "Type": 2, - "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6" + "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6", + "Type": 2 }, { - "Type": 2, - "ID": "98528ef9-e89b-469a-b19b-fa8e72a00fa6" + "ID": "98528ef9-e89b-469a-b19b-fa8e72a00fa6", + "Type": 2 }, { - "Type": 2, - "ID": "ServicePrincipal" + "ID": "ServicePrincipal", + "Type": 2 }, { - "Type": 1, - "ID": "Microsoft Graph" + "ID": "Microsoft Graph", + "Type": 1 }, { - "Type": 2, - "ID": "00000003-0000-0000-c000-000000000000" + "ID": "00000003-0000-0000-c000-000000000000", + "Type": 2 }, { - "Type": 4, - "ID": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us" + "ID": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", + "Type": 4 } ], - "RecordType": "8", - "ModifiedProperties": { - "ServicePrincipal_Name": { - "OldValue": "", - "NewValue": "" - }, - "TargetId_ServicePrincipalNames": { - "OldValue": "", - "NewValue": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us" - }, - "ServicePrincipal_DisplayName": { - "OldValue": "", - "NewValue": "" - }, - "ServicePrincipal_AppId": { - "OldValue": "", - "NewValue": "" - }, - "ServicePrincipal_ObjectID": { - "OldValue": "", - "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23" - } - }, - "Version": "1", - "SupportTicketId": "", "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ - { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" - }, - { - "Type": 3, - "ID": "1003200096971F55" - }, - { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" - }, - { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" - }, - { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" - }, - { - "Type": 2, - "ID": "User" - } - ], - "CreationTime": "2020-02-10T15:30:06", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-10T15:30:06.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:47:58.413628270Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:30:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"},{\"Name\":\"targetName\",\"Value\":\"Microsoft Graph\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"654d7080-aee6-4826-abd9-c5710b336614\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:30:06.3343965Z\"},{\"Name\":\"env_epoch\",\"Value\":\"38FW7\"},{\"Name\":\"env_seqNum\",\"Value\":\"43118019\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR57\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"ad12e6ca-cb87-4bc5-8103-dbc83cb9a4f8\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"OldValue\":\"\"}],\"ObjectId\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Operation\":\"Add OAuth2PermissionGrant.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Microsoft Graph\",\"Type\":1},{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":2},{\"ID\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Add OAuth2PermissionGrant.", - "id": "ad12e6ca-cb87-4bc5-8103-dbc83cb9a4f8", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-10T15:30:06.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Add OAuth2PermissionGrant.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "ad12e6ca-cb87-4bc5-8103-dbc83cb9a4f8", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:30:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"},{\"Name\":\"targetName\",\"Value\":\"Microsoft Graph\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"654d7080-aee6-4826-abd9-c5710b336614\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:30:06.3343965Z\"},{\"Name\":\"env_epoch\",\"Value\":\"38FW7\"},{\"Name\":\"env_seqNum\",\"Value\":\"43118019\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR57\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"ad12e6ca-cb87-4bc5-8103-dbc83cb9a4f8\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"OldValue\":\"\"}],\"ObjectId\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Operation\":\"Add OAuth2PermissionGrant.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Microsoft Graph\",\"Type\":1},{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":2},{\"ID\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "67.43.156.15", - "ExtendedProperties": { - "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "Microsoft Graph", - "env_appId": "restdirectoryservice", - "targetSPN": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", - "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-10T15:30:06.3343965Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "98528ef9-e89b-469a-b19b-fa8e72a00fa6", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", - "correlationId": "654d7080-aee6-4826-abd9-c5710b336614", - "env_cloud_roleInstance": "AM5RRDSR57", - "env_cv": "##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78", - "resultType": "Success", - "auditEventCategory": "ApplicationManagement", - "actorUPN": "asr@testsiem.onmicrosoft.com", - "env_popSample": "0", - "env_seqNum": "43118019", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", - "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "extendedAuditEventCategory": "ServicePrincipal", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":null,\"ObjectClass\":\"ServicePrincipal\",\"AppId\":null,\"Name\":null}]", - "env_epoch": "38FW7", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" - }, - "Target": [ + "Actor": [ { - "Type": 2, - "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6" + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 }, { - "Type": 2, - "ID": "98528ef9-e89b-469a-b19b-fa8e72a00fa6" + "ID": "1003200096971F55", + "Type": 3 }, { - "Type": 2, - "ID": "ServicePrincipal" + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "Type": 1, - "ID": "Microsoft Graph" + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 2, - "ID": "00000003-0000-0000-c000-000000000000" + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 4, - "ID": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us" + "ID": "User", + "Type": 2 } ], - "RecordType": "8", + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-10T15:30:06", + "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "actorObjectClass": "User", + "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":null,\"ObjectClass\":\"ServicePrincipal\",\"AppId\":null,\"Name\":null}]", + "auditEventCategory": "ApplicationManagement", + "correlationId": "654d7080-aee6-4826-abd9-c5710b336614", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", + "env_cloud_roleInstance": "AM5RRDSR57", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", + "env_cv": "##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78", + "env_epoch": "38FW7", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", + "env_popSample": "0", + "env_seqNum": "43118019", + "env_time": "2020-02-10T15:30:06.3343965Z", + "env_ver": "2.1", + "extendedAuditEventCategory": "ServicePrincipal", + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "targetName": "Microsoft Graph", + "targetObjectId": "98528ef9-e89b-469a-b19b-fa8e72a00fa6", + "targetSPN": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", + "teamName": "MSODS.", + "version": "2" + }, "ModifiedProperties": { - "ServicePrincipal_Name": { - "OldValue": "", - "NewValue": "" - }, - "TargetId_ServicePrincipalNames": { - "OldValue": "", - "NewValue": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us" + "ServicePrincipal_AppId": { + "NewValue": "", + "OldValue": "" }, "ServicePrincipal_DisplayName": { - "OldValue": "", - "NewValue": "" + "NewValue": "", + "OldValue": "" }, - "ServicePrincipal_AppId": { - "OldValue": "", - "NewValue": "" + "ServicePrincipal_Name": { + "NewValue": "", + "OldValue": "" }, "ServicePrincipal_ObjectID": { - "OldValue": "", - "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23" + "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "OldValue": "" + }, + "TargetId_ServicePrincipalNames": { + "NewValue": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", + "OldValue": "" } }, - "Version": "1", + "ObjectId": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ + "Target": [ { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" + "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6", + "Type": 2 }, { - "Type": 3, - "ID": "1003200096971F55" + "ID": "98528ef9-e89b-469a-b19b-fa8e72a00fa6", + "Type": 2 }, { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "ServicePrincipal", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "Microsoft Graph", + "Type": 1 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "00000003-0000-0000-c000-000000000000", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", + "Type": 4 } ], - "CreationTime": "2020-02-10T15:30:06", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-10T15:30:06.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:47:58.413629234Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:30:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"},{\"Name\":\"targetName\",\"Value\":\"Microsoft Graph\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"654d7080-aee6-4826-abd9-c5710b336614\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:30:06.3343965Z\"},{\"Name\":\"env_epoch\",\"Value\":\"38FW7\"},{\"Name\":\"env_seqNum\",\"Value\":\"43118019\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR57\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"ad12e6ca-cb87-4bc5-8103-dbc83cb9a4f8\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"OldValue\":\"\"}],\"ObjectId\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Operation\":\"Add OAuth2PermissionGrant.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Microsoft Graph\",\"Type\":1},{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":2},{\"ID\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Add OAuth2PermissionGrant.", - "id": "ad12e6ca-cb87-4bc5-8103-dbc83cb9a4f8", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-10T15:30:06.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], - "network": { - "type": "ipv4" + "ecs": { + "version": "8.0.0" }, - "o365": { - "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "67.43.156.15", - "ExtendedProperties": { - "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "Microsoft Graph", - "env_appId": "restdirectoryservice", - "targetSPN": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", - "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-10T15:30:06.3343965Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "98528ef9-e89b-469a-b19b-fa8e72a00fa6", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", - "correlationId": "654d7080-aee6-4826-abd9-c5710b336614", - "env_cloud_roleInstance": "AM5RRDSR57", - "env_cv": "##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78", - "resultType": "Success", - "auditEventCategory": "ApplicationManagement", - "actorUPN": "asr@testsiem.onmicrosoft.com", - "env_popSample": "0", - "env_seqNum": "43118019", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", - "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "extendedAuditEventCategory": "ServicePrincipal", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":null,\"ObjectClass\":\"ServicePrincipal\",\"AppId\":null,\"Name\":null}]", - "env_epoch": "38FW7", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" - }, - "Target": [ + "event": { + "action": "Add OAuth2PermissionGrant.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "ad12e6ca-cb87-4bc5-8103-dbc83cb9a4f8", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:30:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"},{\"Name\":\"targetName\",\"Value\":\"Microsoft Graph\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"654d7080-aee6-4826-abd9-c5710b336614\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:30:06.3343965Z\"},{\"Name\":\"env_epoch\",\"Value\":\"38FW7\"},{\"Name\":\"env_seqNum\",\"Value\":\"43118019\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR57\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"ad12e6ca-cb87-4bc5-8103-dbc83cb9a4f8\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"OldValue\":\"\"}],\"ObjectId\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Operation\":\"Add OAuth2PermissionGrant.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Microsoft Graph\",\"Type\":1},{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":2},{\"ID\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, + "network": { + "type": "ipv4" + }, + "o365": { + "audit": { + "Actor": [ { - "Type": 2, - "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6" + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 }, { - "Type": 2, - "ID": "98528ef9-e89b-469a-b19b-fa8e72a00fa6" + "ID": "1003200096971F55", + "Type": 3 }, { - "Type": 2, - "ID": "ServicePrincipal" + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "Type": 1, - "ID": "Microsoft Graph" + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 2, - "ID": "00000003-0000-0000-c000-000000000000" + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 4, - "ID": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us" + "ID": "User", + "Type": 2 } ], - "RecordType": "8", + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-10T15:30:06", + "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "actorObjectClass": "User", + "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":null,\"ObjectClass\":\"ServicePrincipal\",\"AppId\":null,\"Name\":null}]", + "auditEventCategory": "ApplicationManagement", + "correlationId": "654d7080-aee6-4826-abd9-c5710b336614", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", + "env_cloud_roleInstance": "AM5RRDSR57", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", + "env_cv": "##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78", + "env_epoch": "38FW7", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", + "env_popSample": "0", + "env_seqNum": "43118019", + "env_time": "2020-02-10T15:30:06.3343965Z", + "env_ver": "2.1", + "extendedAuditEventCategory": "ServicePrincipal", + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "targetName": "Microsoft Graph", + "targetObjectId": "98528ef9-e89b-469a-b19b-fa8e72a00fa6", + "targetSPN": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", + "teamName": "MSODS.", + "version": "2" + }, "ModifiedProperties": { - "ServicePrincipal_Name": { - "OldValue": "", - "NewValue": "" - }, - "TargetId_ServicePrincipalNames": { - "OldValue": "", - "NewValue": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us" + "ServicePrincipal_AppId": { + "NewValue": "", + "OldValue": "" }, "ServicePrincipal_DisplayName": { - "OldValue": "", - "NewValue": "" + "NewValue": "", + "OldValue": "" }, - "ServicePrincipal_AppId": { - "OldValue": "", - "NewValue": "" + "ServicePrincipal_Name": { + "NewValue": "", + "OldValue": "" }, "ServicePrincipal_ObjectID": { - "OldValue": "", - "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23" + "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "OldValue": "" + }, + "TargetId_ServicePrincipalNames": { + "NewValue": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", + "OldValue": "" } }, - "Version": "1", + "ObjectId": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ + "Target": [ { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" + "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6", + "Type": 2 }, { - "Type": 3, - "ID": "1003200096971F55" + "ID": "98528ef9-e89b-469a-b19b-fa8e72a00fa6", + "Type": 2 }, { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "ServicePrincipal", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "Microsoft Graph", + "Type": 1 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "00000003-0000-0000-c000-000000000000", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", + "Type": 4 } ], - "CreationTime": "2020-02-10T15:30:06", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-10T15:30:06.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:47:58.413630469Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:30:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"},{\"Name\":\"targetName\",\"Value\":\"Microsoft Graph\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"654d7080-aee6-4826-abd9-c5710b336614\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:30:06.3343965Z\"},{\"Name\":\"env_epoch\",\"Value\":\"38FW7\"},{\"Name\":\"env_seqNum\",\"Value\":\"43118019\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR57\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"ad12e6ca-cb87-4bc5-8103-dbc83cb9a4f8\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"OldValue\":\"\"}],\"ObjectId\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Operation\":\"Add OAuth2PermissionGrant.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Microsoft Graph\",\"Type\":1},{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":2},{\"ID\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Add OAuth2PermissionGrant.", - "id": "ad12e6ca-cb87-4bc5-8103-dbc83cb9a4f8", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-10T15:30:06.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Add app role assignment to service principal.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "678f80a3-92c4-4bb6-83a1-1c39d5a87225", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:30:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"654d7080-aee6-4826-abd9-c5710b336614\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:30:06.1843731Z\"},{\"Name\":\"env_epoch\",\"Value\":\"38FW7\"},{\"Name\":\"env_seqNum\",\"Value\":\"43117912\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR57\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"678f80a3-92c4-4bb6-83a1-1c39d5a87225\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "67.43.156.15", - "ExtendedProperties": { - "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "Office 365 Management APIs", - "env_appId": "restdirectoryservice", - "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", - "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-10T15:30:06.1843731Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", - "correlationId": "654d7080-aee6-4826-abd9-c5710b336614", - "env_cloud_roleInstance": "AM5RRDSR57", - "env_cv": "##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78", - "resultType": "Success", - "auditEventCategory": "ApplicationManagement", - "actorUPN": "asr@testsiem.onmicrosoft.com", - "env_popSample": "0", - "env_seqNum": "43117912", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", - "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "extendedAuditEventCategory": "ServicePrincipal", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", - "env_epoch": "38FW7", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" - }, - "Target": [ + "Actor": [ { - "Type": 2, - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad" + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 }, { - "Type": 2, - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad" + "ID": "1003200096971F55", + "Type": 3 }, { - "Type": 2, - "ID": "ServicePrincipal" + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "Type": 1, - "ID": "Office 365 Management APIs" + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 2, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2" + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 4, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" + "ID": "User", + "Type": 2 } ], - "RecordType": "8", - "ModifiedProperties": { - "ServicePrincipal_Name": { - "OldValue": "", - "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585" - }, - "TargetId_ServicePrincipalNames": { - "OldValue": "", - "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" - }, - "ServicePrincipal_DisplayName": { - "OldValue": "", - "NewValue": "siem" - }, - "ServicePrincipal_AppId": { - "OldValue": "", - "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585" - }, - "ServicePrincipal_ObjectID": { - "OldValue": "", - "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23" - } - }, - "Version": "1", - "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-10T15:30:06", + "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "actorObjectClass": "User", + "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", + "auditEventCategory": "ApplicationManagement", + "correlationId": "654d7080-aee6-4826-abd9-c5710b336614", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", + "env_cloud_roleInstance": "AM5RRDSR57", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", + "env_cv": "##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78", + "env_epoch": "38FW7", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", + "env_popSample": "0", + "env_seqNum": "43117912", + "env_time": "2020-02-10T15:30:06.1843731Z", + "env_ver": "2.1", + "extendedAuditEventCategory": "ServicePrincipal", + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "targetName": "Office 365 Management APIs", + "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "teamName": "MSODS.", + "version": "2" + }, + "ModifiedProperties": { + "ServicePrincipal_AppId": { + "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "OldValue": "" + }, + "ServicePrincipal_DisplayName": { + "NewValue": "siem", + "OldValue": "" + }, + "ServicePrincipal_Name": { + "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "OldValue": "" + }, + "ServicePrincipal_ObjectID": { + "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "OldValue": "" + }, + "TargetId_ServicePrincipalNames": { + "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "OldValue": "" + } + }, + "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "RecordType": "8", + "ResultStatus": "Success", + "SupportTicketId": "", + "Target": [ { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 3, - "ID": "1003200096971F55" + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "ServicePrincipal", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 } ], - "CreationTime": "2020-02-10T15:30:06", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-10T15:30:06.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:47:58.413631427Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:30:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"654d7080-aee6-4826-abd9-c5710b336614\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:30:06.1843731Z\"},{\"Name\":\"env_epoch\",\"Value\":\"38FW7\"},{\"Name\":\"env_seqNum\",\"Value\":\"43117912\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR57\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"678f80a3-92c4-4bb6-83a1-1c39d5a87225\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Add app role assignment to service principal.", - "id": "678f80a3-92c4-4bb6-83a1-1c39d5a87225", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-10T15:30:06.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Add app role assignment to service principal.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "a73c1c7e-5591-4912-94cc-527ad6f48ed8", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:30:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"654d7080-aee6-4826-abd9-c5710b336614\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:30:06.2593808Z\"},{\"Name\":\"env_epoch\",\"Value\":\"38FW7\"},{\"Name\":\"env_seqNum\",\"Value\":\"43117959\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR57\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"a73c1c7e-5591-4912-94cc-527ad6f48ed8\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "67.43.156.15", - "ExtendedProperties": { - "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "Office 365 Management APIs", - "env_appId": "restdirectoryservice", - "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", - "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-10T15:30:06.2593808Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", - "correlationId": "654d7080-aee6-4826-abd9-c5710b336614", - "env_cloud_roleInstance": "AM5RRDSR57", - "env_cv": "##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78", - "resultType": "Success", - "auditEventCategory": "ApplicationManagement", - "actorUPN": "asr@testsiem.onmicrosoft.com", - "env_popSample": "0", - "env_seqNum": "43117959", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", - "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "extendedAuditEventCategory": "ServicePrincipal", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", - "env_epoch": "38FW7", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" - }, - "Target": [ + "Actor": [ { - "Type": 2, - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad" + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 }, { - "Type": 2, - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad" + "ID": "1003200096971F55", + "Type": 3 }, { - "Type": 2, - "ID": "ServicePrincipal" + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "Type": 1, - "ID": "Office 365 Management APIs" + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 2, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2" + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 4, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" + "ID": "User", + "Type": 2 } ], - "RecordType": "8", + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-10T15:30:06", + "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "actorObjectClass": "User", + "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", + "auditEventCategory": "ApplicationManagement", + "correlationId": "654d7080-aee6-4826-abd9-c5710b336614", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", + "env_cloud_roleInstance": "AM5RRDSR57", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", + "env_cv": "##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78", + "env_epoch": "38FW7", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", + "env_popSample": "0", + "env_seqNum": "43117959", + "env_time": "2020-02-10T15:30:06.2593808Z", + "env_ver": "2.1", + "extendedAuditEventCategory": "ServicePrincipal", + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "targetName": "Office 365 Management APIs", + "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "teamName": "MSODS.", + "version": "2" + }, "ModifiedProperties": { - "ServicePrincipal_Name": { - "OldValue": "", - "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585" - }, - "TargetId_ServicePrincipalNames": { - "OldValue": "", - "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" + "ServicePrincipal_AppId": { + "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "OldValue": "" }, "ServicePrincipal_DisplayName": { - "OldValue": "", - "NewValue": "siem" + "NewValue": "siem", + "OldValue": "" }, - "ServicePrincipal_AppId": { - "OldValue": "", - "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585" + "ServicePrincipal_Name": { + "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "OldValue": "" }, "ServicePrincipal_ObjectID": { - "OldValue": "", - "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23" + "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "OldValue": "" + }, + "TargetId_ServicePrincipalNames": { + "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "OldValue": "" } }, - "Version": "1", + "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ + "Target": [ { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 3, - "ID": "1003200096971F55" + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "ServicePrincipal", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 } ], - "CreationTime": "2020-02-10T15:30:06", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-10T15:30:06.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "source": { + "ip": "67.43.156.15" }, + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", + "target": { + "id": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" + } + } + }, + { + "@timestamp": "2020-02-10T15:30:06.000Z", "client": { "address": "67.43.156.15", "ip": "67.43.156.15" }, + "ecs": { + "version": "8.0.0" + }, "event": { - "ingested": "2022-01-02T03:47:58.413632466Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:30:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"654d7080-aee6-4826-abd9-c5710b336614\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:30:06.2593808Z\"},{\"Name\":\"env_epoch\",\"Value\":\"38FW7\"},{\"Name\":\"env_seqNum\",\"Value\":\"43117959\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR57\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"a73c1c7e-5591-4912-94cc-527ad6f48ed8\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", "action": "Add app role assignment to service principal.", - "id": "a73c1c7e-5591-4912-94cc-527ad6f48ed8", - "type": [ - "info" - ], "category": [ "web" ], - "outcome": "success" + "code": "AzureActiveDirectory", + "id": "a73c1c7e-5591-4912-94cc-527ad6f48ed8", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:30:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"654d7080-aee6-4826-abd9-c5710b336614\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:30:06.2593808Z\"},{\"Name\":\"env_epoch\",\"Value\":\"38FW7\"},{\"Name\":\"env_seqNum\",\"Value\":\"43117959\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR57\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"a73c1c7e-5591-4912-94cc-527ad6f48ed8\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] }, - "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com", - "target": { - "id": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" - } - } - }, - { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, - "ip": "67.43.156.15" + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, - "tags": [ - "preserve_original_event" - ], "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "67.43.156.15", - "ExtendedProperties": { - "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "Office 365 Management APIs", - "env_appId": "restdirectoryservice", - "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", - "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-10T15:30:06.2593808Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", - "correlationId": "654d7080-aee6-4826-abd9-c5710b336614", - "env_cloud_roleInstance": "AM5RRDSR57", - "env_cv": "##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78", - "resultType": "Success", - "auditEventCategory": "ApplicationManagement", - "actorUPN": "asr@testsiem.onmicrosoft.com", - "env_popSample": "0", - "env_seqNum": "43117959", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", - "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "extendedAuditEventCategory": "ServicePrincipal", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", - "env_epoch": "38FW7", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" - }, - "Target": [ + "Actor": [ { - "Type": 2, - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad" + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 }, { - "Type": 2, - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad" + "ID": "1003200096971F55", + "Type": 3 }, { - "Type": 2, - "ID": "ServicePrincipal" + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "Type": 1, - "ID": "Office 365 Management APIs" + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 2, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2" + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 4, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" + "ID": "User", + "Type": 2 } ], - "RecordType": "8", + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-10T15:30:06", + "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "actorObjectClass": "User", + "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", + "auditEventCategory": "ApplicationManagement", + "correlationId": "654d7080-aee6-4826-abd9-c5710b336614", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", + "env_cloud_roleInstance": "AM5RRDSR57", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", + "env_cv": "##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78", + "env_epoch": "38FW7", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", + "env_popSample": "0", + "env_seqNum": "43117959", + "env_time": "2020-02-10T15:30:06.2593808Z", + "env_ver": "2.1", + "extendedAuditEventCategory": "ServicePrincipal", + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "targetName": "Office 365 Management APIs", + "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "teamName": "MSODS.", + "version": "2" + }, "ModifiedProperties": { - "ServicePrincipal_Name": { - "OldValue": "", - "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585" - }, - "TargetId_ServicePrincipalNames": { - "OldValue": "", - "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" + "ServicePrincipal_AppId": { + "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "OldValue": "" }, "ServicePrincipal_DisplayName": { - "OldValue": "", - "NewValue": "siem" + "NewValue": "siem", + "OldValue": "" }, - "ServicePrincipal_AppId": { - "OldValue": "", - "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585" + "ServicePrincipal_Name": { + "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "OldValue": "" }, "ServicePrincipal_ObjectID": { - "OldValue": "", - "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23" + "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "OldValue": "" + }, + "TargetId_ServicePrincipalNames": { + "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "OldValue": "" } }, - "Version": "1", + "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ + "Target": [ { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 3, - "ID": "1003200096971F55" + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "ServicePrincipal", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 } ], - "CreationTime": "2020-02-10T15:30:06", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-10T15:30:06.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:47:58.413633471Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:30:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"654d7080-aee6-4826-abd9-c5710b336614\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:30:06.2593808Z\"},{\"Name\":\"env_epoch\",\"Value\":\"38FW7\"},{\"Name\":\"env_seqNum\",\"Value\":\"43117959\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR57\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"a73c1c7e-5591-4912-94cc-527ad6f48ed8\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Add app role assignment to service principal.", - "id": "a73c1c7e-5591-4912-94cc-527ad6f48ed8", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-10T15:30:06.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Add app role assignment to service principal.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "678f80a3-92c4-4bb6-83a1-1c39d5a87225", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:30:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"654d7080-aee6-4826-abd9-c5710b336614\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:30:06.1843731Z\"},{\"Name\":\"env_epoch\",\"Value\":\"38FW7\"},{\"Name\":\"env_seqNum\",\"Value\":\"43117912\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR57\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"678f80a3-92c4-4bb6-83a1-1c39d5a87225\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-10T15:30:06", "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "Office 365 Management APIs", - "env_appId": "restdirectoryservice", - "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-10T15:30:06.1843731Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", + "auditEventCategory": "ApplicationManagement", "correlationId": "654d7080-aee6-4826-abd9-c5710b336614", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", "env_cloud_roleInstance": "AM5RRDSR57", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", "env_cv": "##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78", - "resultType": "Success", - "auditEventCategory": "ApplicationManagement", - "actorUPN": "asr@testsiem.onmicrosoft.com", + "env_epoch": "38FW7", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", "env_popSample": "0", "env_seqNum": "43117912", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", + "env_time": "2020-02-10T15:30:06.1843731Z", "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", "extendedAuditEventCategory": "ServicePrincipal", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", - "env_epoch": "38FW7", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "targetName": "Office 365 Management APIs", + "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "teamName": "MSODS.", + "version": "2" }, - "Target": [ - { - "Type": 2, - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad" - }, - { - "Type": 2, - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad" - }, - { - "Type": 2, - "ID": "ServicePrincipal" - }, - { - "Type": 1, - "ID": "Office 365 Management APIs" - }, - { - "Type": 2, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2" - }, - { - "Type": 4, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" - } - ], - "RecordType": "8", "ModifiedProperties": { - "ServicePrincipal_Name": { - "OldValue": "", - "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585" - }, - "TargetId_ServicePrincipalNames": { - "OldValue": "", - "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" + "ServicePrincipal_AppId": { + "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "OldValue": "" }, "ServicePrincipal_DisplayName": { - "OldValue": "", - "NewValue": "siem" + "NewValue": "siem", + "OldValue": "" }, - "ServicePrincipal_AppId": { - "OldValue": "", - "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585" + "ServicePrincipal_Name": { + "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "OldValue": "" }, "ServicePrincipal_ObjectID": { - "OldValue": "", - "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23" + "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "OldValue": "" + }, + "TargetId_ServicePrincipalNames": { + "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "OldValue": "" } }, - "Version": "1", + "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ + "Target": [ { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 3, - "ID": "1003200096971F55" + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "ServicePrincipal", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 } ], - "CreationTime": "2020-02-10T15:30:06", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-10T15:30:06.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:47:58.413634534Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:30:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"654d7080-aee6-4826-abd9-c5710b336614\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:30:06.1843731Z\"},{\"Name\":\"env_epoch\",\"Value\":\"38FW7\"},{\"Name\":\"env_seqNum\",\"Value\":\"43117912\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR57\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"678f80a3-92c4-4bb6-83a1-1c39d5a87225\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Add app role assignment to service principal.", - "id": "678f80a3-92c4-4bb6-83a1-1c39d5a87225", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-10T15:30:06.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Add app role assignment to service principal.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "678f80a3-92c4-4bb6-83a1-1c39d5a87225", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:30:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"654d7080-aee6-4826-abd9-c5710b336614\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:30:06.1843731Z\"},{\"Name\":\"env_epoch\",\"Value\":\"38FW7\"},{\"Name\":\"env_seqNum\",\"Value\":\"43117912\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR57\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"678f80a3-92c4-4bb6-83a1-1c39d5a87225\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-10T15:30:06", "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "Office 365 Management APIs", - "env_appId": "restdirectoryservice", - "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-10T15:30:06.1843731Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", + "auditEventCategory": "ApplicationManagement", "correlationId": "654d7080-aee6-4826-abd9-c5710b336614", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", "env_cloud_roleInstance": "AM5RRDSR57", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", "env_cv": "##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78", - "resultType": "Success", - "auditEventCategory": "ApplicationManagement", - "actorUPN": "asr@testsiem.onmicrosoft.com", + "env_epoch": "38FW7", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", "env_popSample": "0", "env_seqNum": "43117912", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", + "env_time": "2020-02-10T15:30:06.1843731Z", "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", "extendedAuditEventCategory": "ServicePrincipal", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "additionalTargets": "[{\"ObjectID\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"DisplayName\":\"siem\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"Name\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\"}]", - "env_epoch": "38FW7", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "targetName": "Office 365 Management APIs", + "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "teamName": "MSODS.", + "version": "2" + }, + "ModifiedProperties": { + "ServicePrincipal_AppId": { + "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "OldValue": "" + }, + "ServicePrincipal_DisplayName": { + "NewValue": "siem", + "OldValue": "" + }, + "ServicePrincipal_Name": { + "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585", + "OldValue": "" + }, + "ServicePrincipal_ObjectID": { + "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23", + "OldValue": "" + }, + "TargetId_ServicePrincipalNames": { + "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "OldValue": "" + } }, + "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "RecordType": "8", + "ResultStatus": "Success", + "SupportTicketId": "", "Target": [ { - "Type": 2, - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad" + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 2, - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad" + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 2, - "ID": "ServicePrincipal" + "ID": "ServicePrincipal", + "Type": 2 }, { - "Type": 1, - "ID": "Office 365 Management APIs" + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "Type": 2, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "Type": 4, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 } ], - "RecordType": "8", - "ModifiedProperties": { - "ServicePrincipal_Name": { - "OldValue": "", - "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585" - }, - "TargetId_ServicePrincipalNames": { - "OldValue": "", - "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" - }, - "ServicePrincipal_DisplayName": { - "OldValue": "", - "NewValue": "siem" - }, - "ServicePrincipal_AppId": { - "OldValue": "", - "NewValue": "71a0194b-b70c-44a6-82f2-d4670aee4585" - }, - "ServicePrincipal_ObjectID": { - "OldValue": "", - "NewValue": "5c242833-909c-4c6b-bca3-50feaaa98d23" - } - }, - "Version": "1", - "SupportTicketId": "", "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ - { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" - }, - { - "Type": 3, - "ID": "1003200096971F55" - }, - { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" - }, - { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" - }, - { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" - }, - { - "Type": 2, - "ID": "User" - } - ], - "CreationTime": "2020-02-10T15:30:06", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-10T15:30:06.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:47:58.413635738Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:30:06\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"654d7080-aee6-4826-abd9-c5710b336614\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"5c242833-909c-4c6b-bca3-50feaaa98d23\\\",\\\"DisplayName\\\":\\\"siem\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\",\\\"Name\\\":\\\"71a0194b-b70c-44a6-82f2-d4670aee4585\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-10T15:30:06.1843731Z\"},{\"Name\":\"env_epoch\",\"Value\":\"38FW7\"},{\"Name\":\"env_seqNum\",\"Value\":\"43117912\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78_00000000-0000-0000-0000-000000000000_eb6f4dc6-03bb-4c63-9cab-f08dd1f79c78\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR57\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"678f80a3-92c4-4bb6-83a1-1c39d5a87225\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"5c242833-909c-4c6b-bca3-50feaaa98d23\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"71a0194b-b70c-44a6-82f2-d4670aee4585\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Add app role assignment to service principal.", - "id": "678f80a3-92c4-4bb6-83a1-1c39d5a87225", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-11T16:36:30.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Add application.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "689aaff0-b34f-4077-9244-0563b9f9c03b", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:36:30\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"AppId\\\",\\\"AvailableToOtherTenants\\\",\\\"DisplayName\\\",\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"484659af-7387-4b77-b889-c4d2a8060004\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:36:30.6833528Z\"},{\"Name\":\"env_epoch\",\"Value\":\"SDA9U\"},{\"Name\":\"env_seqNum\",\"Value\":\"41554400\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##9758fd77-23a7-4fdc-951a-f9200b1a4af9_00000000-0000-0000-0000-000000000000_9758fd77-23a7-4fdc-951a-f9200b1a4af9\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR521\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"689aaff0-b34f-4077-9244-0563b9f9c03b\",\"ModifiedProperties\":[{\"Name\":\"AppId\",\"NewValue\":\"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"AvailableToOtherTenants\",\"NewValue\":\"[\\r\\n false\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"DisplayName\",\"NewValue\":\"[\\r\\n \\\"siem2\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"AppId, AvailableToOtherTenants, DisplayName, RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Add application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "Not Available", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-11T16:36:30", "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "siem2", - "env_appId": "restdirectoryservice", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-11T16:36:30.6833528Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "33cdc459-1335-4d6c-b773-f5eef4df7793", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "auditEventCategory": "ApplicationManagement", "correlationId": "484659af-7387-4b77-b889-c4d2a8060004", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", "env_cloud_roleInstance": "AM5RRDSR521", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", "env_cv": "##9758fd77-23a7-4fdc-951a-f9200b1a4af9_00000000-0000-0000-0000-000000000000_9758fd77-23a7-4fdc-951a-f9200b1a4af9", - "resultType": "Success", - "auditEventCategory": "ApplicationManagement", - "actorUPN": "asr@testsiem.onmicrosoft.com", + "env_epoch": "SDA9U", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", "env_popSample": "0", "env_seqNum": "41554400", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", + "env_time": "2020-02-11T16:36:30.6833528Z", "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"AppId\",\"AvailableToOtherTenants\",\"DisplayName\",\"RequiredResourceAccess\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", "extendedAuditEventCategory": "Application", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "env_epoch": "SDA9U", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"AppId\",\"AvailableToOtherTenants\",\"DisplayName\",\"RequiredResourceAccess\"]", + "targetName": "siem2", + "targetObjectId": "33cdc459-1335-4d6c-b773-f5eef4df7793", + "teamName": "MSODS.", + "version": "2" }, - "Target": [ - { - "Type": 2, - "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793" - }, - { - "Type": 2, - "ID": "33cdc459-1335-4d6c-b773-f5eef4df7793" - }, - { - "Type": 2, - "ID": "Application" - }, - { - "Type": 1, - "ID": "siem2" - } - ], - "RecordType": "8", "ModifiedProperties": { - "Included_Updated_Properties": { - "OldValue": "", - "NewValue": "AppId, AvailableToOtherTenants, DisplayName, RequiredResourceAccess" + "AppId": { + "NewValue": "[\r\n \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"\r\n]", + "OldValue": "[]" + }, + "AvailableToOtherTenants": { + "NewValue": "[\r\n false\r\n]", + "OldValue": "[]" }, "DisplayName": { - "OldValue": "[]", - "NewValue": "[\r\n \"siem2\"\r\n]" + "NewValue": "[\r\n \"siem2\"\r\n]", + "OldValue": "[]" }, - "AppId": { - "OldValue": "[]", - "NewValue": "[\r\n \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"\r\n]" + "Included_Updated_Properties": { + "NewValue": "AppId, AvailableToOtherTenants, DisplayName, RequiredResourceAccess", + "OldValue": "" }, "RequiredResourceAccess": { - "OldValue": "[]", - "NewValue": "[\r\n {\r\n \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]" - }, - "AvailableToOtherTenants": { - "OldValue": "[]", - "NewValue": "[\r\n false\r\n]" + "NewValue": "[\r\n {\r\n \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]", + "OldValue": "[]" } }, - "Version": "1", + "ObjectId": "Not Available", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ - { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" - }, - { - "Type": 3, - "ID": "1003200096971F55" - }, + "Target": [ { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "33cdc459-1335-4d6c-b773-f5eef4df7793", + "Type": 2 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "Application", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "siem2", + "Type": 1 } ], - "CreationTime": "2020-02-11T16:36:30", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-11T16:36:30.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:47:58.413636812Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:36:30\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"AppId\\\",\\\"AvailableToOtherTenants\\\",\\\"DisplayName\\\",\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"484659af-7387-4b77-b889-c4d2a8060004\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:36:30.6833528Z\"},{\"Name\":\"env_epoch\",\"Value\":\"SDA9U\"},{\"Name\":\"env_seqNum\",\"Value\":\"41554400\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##9758fd77-23a7-4fdc-951a-f9200b1a4af9_00000000-0000-0000-0000-000000000000_9758fd77-23a7-4fdc-951a-f9200b1a4af9\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR521\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"689aaff0-b34f-4077-9244-0563b9f9c03b\",\"ModifiedProperties\":[{\"Name\":\"AppId\",\"NewValue\":\"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"AvailableToOtherTenants\",\"NewValue\":\"[\\r\\n false\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"DisplayName\",\"NewValue\":\"[\\r\\n \\\"siem2\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"AppId, AvailableToOtherTenants, DisplayName, RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Add application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Add application.", - "id": "689aaff0-b34f-4077-9244-0563b9f9c03b", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "Not Available" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-11T16:36:30.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], - "network": { - "type": "ipv4" + "ecs": { + "version": "8.0.0" }, - "o365": { - "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "Not Available", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "67.43.156.15", - "ExtendedProperties": { - "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "siem2", - "env_appId": "restdirectoryservice", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", - "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-11T16:36:30.6833528Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "33cdc459-1335-4d6c-b773-f5eef4df7793", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", - "correlationId": "484659af-7387-4b77-b889-c4d2a8060004", - "env_cloud_roleInstance": "AM5RRDSR521", - "env_cv": "##9758fd77-23a7-4fdc-951a-f9200b1a4af9_00000000-0000-0000-0000-000000000000_9758fd77-23a7-4fdc-951a-f9200b1a4af9", - "resultType": "Success", - "auditEventCategory": "ApplicationManagement", - "actorUPN": "asr@testsiem.onmicrosoft.com", - "env_popSample": "0", - "env_seqNum": "41554400", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", - "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"AppId\",\"AvailableToOtherTenants\",\"DisplayName\",\"RequiredResourceAccess\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "extendedAuditEventCategory": "Application", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "env_epoch": "SDA9U", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" - }, - "Target": [ + "event": { + "action": "Add application.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "689aaff0-b34f-4077-9244-0563b9f9c03b", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:36:30\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"AppId\\\",\\\"AvailableToOtherTenants\\\",\\\"DisplayName\\\",\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"484659af-7387-4b77-b889-c4d2a8060004\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:36:30.6833528Z\"},{\"Name\":\"env_epoch\",\"Value\":\"SDA9U\"},{\"Name\":\"env_seqNum\",\"Value\":\"41554400\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##9758fd77-23a7-4fdc-951a-f9200b1a4af9_00000000-0000-0000-0000-000000000000_9758fd77-23a7-4fdc-951a-f9200b1a4af9\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR521\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"689aaff0-b34f-4077-9244-0563b9f9c03b\",\"ModifiedProperties\":[{\"Name\":\"AppId\",\"NewValue\":\"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"AvailableToOtherTenants\",\"NewValue\":\"[\\r\\n false\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"DisplayName\",\"NewValue\":\"[\\r\\n \\\"siem2\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"AppId, AvailableToOtherTenants, DisplayName, RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Add application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, + "network": { + "type": "ipv4" + }, + "o365": { + "audit": { + "Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, { - "Type": 2, - "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793" + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "Type": 2, - "ID": "33cdc459-1335-4d6c-b773-f5eef4df7793" + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 2, - "ID": "Application" + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 1, - "ID": "siem2" + "ID": "User", + "Type": 2 } ], - "RecordType": "8", + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-11T16:36:30", + "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "actorObjectClass": "User", + "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "auditEventCategory": "ApplicationManagement", + "correlationId": "484659af-7387-4b77-b889-c4d2a8060004", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", + "env_cloud_roleInstance": "AM5RRDSR521", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", + "env_cv": "##9758fd77-23a7-4fdc-951a-f9200b1a4af9_00000000-0000-0000-0000-000000000000_9758fd77-23a7-4fdc-951a-f9200b1a4af9", + "env_epoch": "SDA9U", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", + "env_popSample": "0", + "env_seqNum": "41554400", + "env_time": "2020-02-11T16:36:30.6833528Z", + "env_ver": "2.1", + "extendedAuditEventCategory": "Application", + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"AppId\",\"AvailableToOtherTenants\",\"DisplayName\",\"RequiredResourceAccess\"]", + "targetName": "siem2", + "targetObjectId": "33cdc459-1335-4d6c-b773-f5eef4df7793", + "teamName": "MSODS.", + "version": "2" + }, "ModifiedProperties": { - "Included_Updated_Properties": { - "OldValue": "", - "NewValue": "AppId, AvailableToOtherTenants, DisplayName, RequiredResourceAccess" + "AppId": { + "NewValue": "[\r\n \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"\r\n]", + "OldValue": "[]" + }, + "AvailableToOtherTenants": { + "NewValue": "[\r\n false\r\n]", + "OldValue": "[]" }, "DisplayName": { - "OldValue": "[]", - "NewValue": "[\r\n \"siem2\"\r\n]" + "NewValue": "[\r\n \"siem2\"\r\n]", + "OldValue": "[]" }, - "AppId": { - "OldValue": "[]", - "NewValue": "[\r\n \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"\r\n]" + "Included_Updated_Properties": { + "NewValue": "AppId, AvailableToOtherTenants, DisplayName, RequiredResourceAccess", + "OldValue": "" }, "RequiredResourceAccess": { - "OldValue": "[]", - "NewValue": "[\r\n {\r\n \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]" - }, - "AvailableToOtherTenants": { - "OldValue": "[]", - "NewValue": "[\r\n false\r\n]" + "NewValue": "[\r\n {\r\n \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]", + "OldValue": "[]" } }, - "Version": "1", + "ObjectId": "Not Available", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ - { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" - }, - { - "Type": 3, - "ID": "1003200096971F55" - }, + "Target": [ { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "33cdc459-1335-4d6c-b773-f5eef4df7793", + "Type": 2 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "Application", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "siem2", + "Type": 1 } ], - "CreationTime": "2020-02-11T16:36:30", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-11T16:36:30.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:47:58.413638118Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:36:30\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"AppId\\\",\\\"AvailableToOtherTenants\\\",\\\"DisplayName\\\",\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"484659af-7387-4b77-b889-c4d2a8060004\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:36:30.6833528Z\"},{\"Name\":\"env_epoch\",\"Value\":\"SDA9U\"},{\"Name\":\"env_seqNum\",\"Value\":\"41554400\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##9758fd77-23a7-4fdc-951a-f9200b1a4af9_00000000-0000-0000-0000-000000000000_9758fd77-23a7-4fdc-951a-f9200b1a4af9\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR521\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"689aaff0-b34f-4077-9244-0563b9f9c03b\",\"ModifiedProperties\":[{\"Name\":\"AppId\",\"NewValue\":\"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"AvailableToOtherTenants\",\"NewValue\":\"[\\r\\n false\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"DisplayName\",\"NewValue\":\"[\\r\\n \\\"siem2\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"AppId, AvailableToOtherTenants, DisplayName, RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Add application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Add application.", - "id": "689aaff0-b34f-4077-9244-0563b9f9c03b", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "Not Available" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-11T16:36:30.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Add application.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "689aaff0-b34f-4077-9244-0563b9f9c03b", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:36:30\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"AppId\\\",\\\"AvailableToOtherTenants\\\",\\\"DisplayName\\\",\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"484659af-7387-4b77-b889-c4d2a8060004\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:36:30.6833528Z\"},{\"Name\":\"env_epoch\",\"Value\":\"SDA9U\"},{\"Name\":\"env_seqNum\",\"Value\":\"41554400\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##9758fd77-23a7-4fdc-951a-f9200b1a4af9_00000000-0000-0000-0000-000000000000_9758fd77-23a7-4fdc-951a-f9200b1a4af9\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR521\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"689aaff0-b34f-4077-9244-0563b9f9c03b\",\"ModifiedProperties\":[{\"Name\":\"AppId\",\"NewValue\":\"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"AvailableToOtherTenants\",\"NewValue\":\"[\\r\\n false\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"DisplayName\",\"NewValue\":\"[\\r\\n \\\"siem2\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"AppId, AvailableToOtherTenants, DisplayName, RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Add application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "Not Available", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-11T16:36:30", "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "siem2", - "env_appId": "restdirectoryservice", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-11T16:36:30.6833528Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "33cdc459-1335-4d6c-b773-f5eef4df7793", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "auditEventCategory": "ApplicationManagement", "correlationId": "484659af-7387-4b77-b889-c4d2a8060004", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", "env_cloud_roleInstance": "AM5RRDSR521", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", "env_cv": "##9758fd77-23a7-4fdc-951a-f9200b1a4af9_00000000-0000-0000-0000-000000000000_9758fd77-23a7-4fdc-951a-f9200b1a4af9", - "resultType": "Success", - "auditEventCategory": "ApplicationManagement", - "actorUPN": "asr@testsiem.onmicrosoft.com", + "env_epoch": "SDA9U", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", "env_popSample": "0", "env_seqNum": "41554400", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", + "env_time": "2020-02-11T16:36:30.6833528Z", "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"AppId\",\"AvailableToOtherTenants\",\"DisplayName\",\"RequiredResourceAccess\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", "extendedAuditEventCategory": "Application", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "env_epoch": "SDA9U", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"AppId\",\"AvailableToOtherTenants\",\"DisplayName\",\"RequiredResourceAccess\"]", + "targetName": "siem2", + "targetObjectId": "33cdc459-1335-4d6c-b773-f5eef4df7793", + "teamName": "MSODS.", + "version": "2" }, - "Target": [ - { - "Type": 2, - "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793" - }, - { - "Type": 2, - "ID": "33cdc459-1335-4d6c-b773-f5eef4df7793" - }, - { - "Type": 2, - "ID": "Application" - }, - { - "Type": 1, - "ID": "siem2" - } - ], - "RecordType": "8", "ModifiedProperties": { - "Included_Updated_Properties": { - "OldValue": "", - "NewValue": "AppId, AvailableToOtherTenants, DisplayName, RequiredResourceAccess" + "AppId": { + "NewValue": "[\r\n \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"\r\n]", + "OldValue": "[]" + }, + "AvailableToOtherTenants": { + "NewValue": "[\r\n false\r\n]", + "OldValue": "[]" }, "DisplayName": { - "OldValue": "[]", - "NewValue": "[\r\n \"siem2\"\r\n]" + "NewValue": "[\r\n \"siem2\"\r\n]", + "OldValue": "[]" }, - "AppId": { - "OldValue": "[]", - "NewValue": "[\r\n \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"\r\n]" + "Included_Updated_Properties": { + "NewValue": "AppId, AvailableToOtherTenants, DisplayName, RequiredResourceAccess", + "OldValue": "" }, "RequiredResourceAccess": { - "OldValue": "[]", - "NewValue": "[\r\n {\r\n \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]" - }, - "AvailableToOtherTenants": { - "OldValue": "[]", - "NewValue": "[\r\n false\r\n]" + "NewValue": "[\r\n {\r\n \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]", + "OldValue": "[]" } }, - "Version": "1", + "ObjectId": "Not Available", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ - { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" - }, - { - "Type": 3, - "ID": "1003200096971F55" - }, + "Target": [ { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "33cdc459-1335-4d6c-b773-f5eef4df7793", + "Type": 2 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "Application", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "siem2", + "Type": 1 } ], - "CreationTime": "2020-02-11T16:36:30", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-11T16:36:30.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:47:58.413639023Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:36:30\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"AppId\\\",\\\"AvailableToOtherTenants\\\",\\\"DisplayName\\\",\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"484659af-7387-4b77-b889-c4d2a8060004\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:36:30.6833528Z\"},{\"Name\":\"env_epoch\",\"Value\":\"SDA9U\"},{\"Name\":\"env_seqNum\",\"Value\":\"41554400\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##9758fd77-23a7-4fdc-951a-f9200b1a4af9_00000000-0000-0000-0000-000000000000_9758fd77-23a7-4fdc-951a-f9200b1a4af9\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR521\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"689aaff0-b34f-4077-9244-0563b9f9c03b\",\"ModifiedProperties\":[{\"Name\":\"AppId\",\"NewValue\":\"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"AvailableToOtherTenants\",\"NewValue\":\"[\\r\\n false\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"DisplayName\",\"NewValue\":\"[\\r\\n \\\"siem2\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"AppId, AvailableToOtherTenants, DisplayName, RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Add application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Add application.", - "id": "689aaff0-b34f-4077-9244-0563b9f9c03b", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "Not Available" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-11T16:36:30.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Add application.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "689aaff0-b34f-4077-9244-0563b9f9c03b", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:36:30\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"AppId\\\",\\\"AvailableToOtherTenants\\\",\\\"DisplayName\\\",\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"484659af-7387-4b77-b889-c4d2a8060004\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:36:30.6833528Z\"},{\"Name\":\"env_epoch\",\"Value\":\"SDA9U\"},{\"Name\":\"env_seqNum\",\"Value\":\"41554400\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##9758fd77-23a7-4fdc-951a-f9200b1a4af9_00000000-0000-0000-0000-000000000000_9758fd77-23a7-4fdc-951a-f9200b1a4af9\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR521\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"689aaff0-b34f-4077-9244-0563b9f9c03b\",\"ModifiedProperties\":[{\"Name\":\"AppId\",\"NewValue\":\"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"AvailableToOtherTenants\",\"NewValue\":\"[\\r\\n false\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"DisplayName\",\"NewValue\":\"[\\r\\n \\\"siem2\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"AppId, AvailableToOtherTenants, DisplayName, RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Add application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "Not Available", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-11T16:36:30", "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "siem2", - "env_appId": "restdirectoryservice", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-11T16:36:30.6833528Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "33cdc459-1335-4d6c-b773-f5eef4df7793", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "auditEventCategory": "ApplicationManagement", "correlationId": "484659af-7387-4b77-b889-c4d2a8060004", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", "env_cloud_roleInstance": "AM5RRDSR521", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", "env_cv": "##9758fd77-23a7-4fdc-951a-f9200b1a4af9_00000000-0000-0000-0000-000000000000_9758fd77-23a7-4fdc-951a-f9200b1a4af9", - "resultType": "Success", - "auditEventCategory": "ApplicationManagement", - "actorUPN": "asr@testsiem.onmicrosoft.com", + "env_epoch": "SDA9U", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", "env_popSample": "0", "env_seqNum": "41554400", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", + "env_time": "2020-02-11T16:36:30.6833528Z", "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"AppId\",\"AvailableToOtherTenants\",\"DisplayName\",\"RequiredResourceAccess\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", "extendedAuditEventCategory": "Application", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "env_epoch": "SDA9U", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"AppId\",\"AvailableToOtherTenants\",\"DisplayName\",\"RequiredResourceAccess\"]", + "targetName": "siem2", + "targetObjectId": "33cdc459-1335-4d6c-b773-f5eef4df7793", + "teamName": "MSODS.", + "version": "2" }, - "Target": [ - { - "Type": 2, - "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793" - }, - { - "Type": 2, - "ID": "33cdc459-1335-4d6c-b773-f5eef4df7793" - }, - { - "Type": 2, - "ID": "Application" - }, - { - "Type": 1, - "ID": "siem2" - } - ], - "RecordType": "8", "ModifiedProperties": { - "Included_Updated_Properties": { - "OldValue": "", - "NewValue": "AppId, AvailableToOtherTenants, DisplayName, RequiredResourceAccess" + "AppId": { + "NewValue": "[\r\n \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"\r\n]", + "OldValue": "[]" + }, + "AvailableToOtherTenants": { + "NewValue": "[\r\n false\r\n]", + "OldValue": "[]" }, "DisplayName": { - "OldValue": "[]", - "NewValue": "[\r\n \"siem2\"\r\n]" + "NewValue": "[\r\n \"siem2\"\r\n]", + "OldValue": "[]" }, - "AppId": { - "OldValue": "[]", - "NewValue": "[\r\n \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"\r\n]" + "Included_Updated_Properties": { + "NewValue": "AppId, AvailableToOtherTenants, DisplayName, RequiredResourceAccess", + "OldValue": "" }, "RequiredResourceAccess": { - "OldValue": "[]", - "NewValue": "[\r\n {\r\n \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]" - }, - "AvailableToOtherTenants": { - "OldValue": "[]", - "NewValue": "[\r\n false\r\n]" + "NewValue": "[\r\n {\r\n \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]", + "OldValue": "[]" } }, - "Version": "1", + "ObjectId": "Not Available", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ - { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" - }, - { - "Type": 3, - "ID": "1003200096971F55" - }, + "Target": [ { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "33cdc459-1335-4d6c-b773-f5eef4df7793", + "Type": 2 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "Application", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "siem2", + "Type": 1 } ], - "CreationTime": "2020-02-11T16:36:30", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-11T16:36:30.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:47:58.413639868Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:36:30\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"AppId\\\",\\\"AvailableToOtherTenants\\\",\\\"DisplayName\\\",\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"484659af-7387-4b77-b889-c4d2a8060004\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:36:30.6833528Z\"},{\"Name\":\"env_epoch\",\"Value\":\"SDA9U\"},{\"Name\":\"env_seqNum\",\"Value\":\"41554400\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##9758fd77-23a7-4fdc-951a-f9200b1a4af9_00000000-0000-0000-0000-000000000000_9758fd77-23a7-4fdc-951a-f9200b1a4af9\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR521\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"689aaff0-b34f-4077-9244-0563b9f9c03b\",\"ModifiedProperties\":[{\"Name\":\"AppId\",\"NewValue\":\"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"AvailableToOtherTenants\",\"NewValue\":\"[\\r\\n false\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"DisplayName\",\"NewValue\":\"[\\r\\n \\\"siem2\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"AppId, AvailableToOtherTenants, DisplayName, RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Add application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Add application.", - "id": "689aaff0-b34f-4077-9244-0563b9f9c03b", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "Not Available" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-11T16:36:30.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Add owner to application.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "ccbe264f-f6bc-42bd-b5b6-2893ce2f465f", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:36:30\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"targetPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"Application.ObjectID\\\",\\\"Application.DisplayName\\\",\\\"Application.AppId\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"484659af-7387-4b77-b889-c4d2a8060004\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"33cdc459-1335-4d6c-b773-f5eef4df7793\\\",\\\"DisplayName\\\":\\\"siem2\\\",\\\"ObjectClass\\\":\\\"Application\\\",\\\"AppId\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:36:30.7383513Z\"},{\"Name\":\"env_epoch\",\"Value\":\"SDA9U\"},{\"Name\":\"env_seqNum\",\"Value\":\"41554439\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##9758fd77-23a7-4fdc-951a-f9200b1a4af9_00000000-0000-0000-0000-000000000000_9758fd77-23a7-4fdc-951a-f9200b1a4af9\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR521\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"ccbe264f-f6bc-42bd-b5b6-2893ce2f465f\",\"ModifiedProperties\":[{\"Name\":\"Application.ObjectID\",\"NewValue\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\",\"OldValue\":\"\"},{\"Name\":\"Application.DisplayName\",\"NewValue\":\"siem2\",\"OldValue\":\"\"},{\"Name\":\"Application.AppId\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"asr@testsiem.onmicrosoft.com\",\"Operation\":\"Add owner to application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "asr@testsiem.onmicrosoft.com", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-11T16:36:30", "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "actorObjectClass": "User", - "teamName": "MSODS.", - "targetUPN": "asr@testsiem.onmicrosoft.com", - "env_cloud_deploymentUnit": "R5", - "env_appId": "restdirectoryservice", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-11T16:36:30.7383513Z", - "targetPUID": "1003200096971F55", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "additionalTargets": "[{\"ObjectID\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\",\"DisplayName\":\"siem2\",\"ObjectClass\":\"Application\",\"AppId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}]", + "auditEventCategory": "ApplicationManagement", "correlationId": "484659af-7387-4b77-b889-c4d2a8060004", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", "env_cloud_roleInstance": "AM5RRDSR521", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", "env_cv": "##9758fd77-23a7-4fdc-951a-f9200b1a4af9_00000000-0000-0000-0000-000000000000_9758fd77-23a7-4fdc-951a-f9200b1a4af9", - "resultType": "Success", - "auditEventCategory": "ApplicationManagement", - "actorUPN": "asr@testsiem.onmicrosoft.com", + "env_epoch": "SDA9U", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", "env_popSample": "0", "env_seqNum": "41554439", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", + "env_time": "2020-02-11T16:36:30.7383513Z", "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"Application.ObjectID\",\"Application.DisplayName\",\"Application.AppId\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", "extendedAuditEventCategory": "Application", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "additionalTargets": "[{\"ObjectID\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\",\"DisplayName\":\"siem2\",\"ObjectClass\":\"Application\",\"AppId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}]", - "env_epoch": "SDA9U", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"Application.ObjectID\",\"Application.DisplayName\",\"Application.AppId\"]", + "targetObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "targetPUID": "1003200096971F55", + "targetUPN": "asr@testsiem.onmicrosoft.com", + "teamName": "MSODS.", + "version": "2" }, - "Target": [ - { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" - }, - { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" - }, - { - "Type": 2, - "ID": "User" - }, - { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" - }, - { - "Type": 3, - "ID": "1003200096971F55" - } - ], - "RecordType": "8", "ModifiedProperties": { "Application_AppId": { - "OldValue": "", - "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40" - }, - "Application_ObjectID": { - "OldValue": "", - "NewValue": "33cdc459-1335-4d6c-b773-f5eef4df7793" + "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "OldValue": "" }, "Application_DisplayName": { - "OldValue": "", - "NewValue": "siem2" + "NewValue": "siem2", + "OldValue": "" + }, + "Application_ObjectID": { + "NewValue": "33cdc459-1335-4d6c-b773-f5eef4df7793", + "OldValue": "" } }, - "Version": "1", + "ObjectId": "asr@testsiem.onmicrosoft.com", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ - { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" - }, + "Target": [ { - "Type": 3, - "ID": "1003200096971F55" + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "User", + "Type": 2 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 }, { - "Type": 2, - "ID": "User" + "ID": "1003200096971F55", + "Type": 3 } ], - "CreationTime": "2020-02-11T16:36:30", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-11T16:36:30.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:47:58.413640760Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:36:30\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"targetPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"Application.ObjectID\\\",\\\"Application.DisplayName\\\",\\\"Application.AppId\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"484659af-7387-4b77-b889-c4d2a8060004\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"33cdc459-1335-4d6c-b773-f5eef4df7793\\\",\\\"DisplayName\\\":\\\"siem2\\\",\\\"ObjectClass\\\":\\\"Application\\\",\\\"AppId\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:36:30.7383513Z\"},{\"Name\":\"env_epoch\",\"Value\":\"SDA9U\"},{\"Name\":\"env_seqNum\",\"Value\":\"41554439\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##9758fd77-23a7-4fdc-951a-f9200b1a4af9_00000000-0000-0000-0000-000000000000_9758fd77-23a7-4fdc-951a-f9200b1a4af9\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR521\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"ccbe264f-f6bc-42bd-b5b6-2893ce2f465f\",\"ModifiedProperties\":[{\"Name\":\"Application.ObjectID\",\"NewValue\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\",\"OldValue\":\"\"},{\"Name\":\"Application.DisplayName\",\"NewValue\":\"siem2\",\"OldValue\":\"\"},{\"Name\":\"Application.AppId\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"asr@testsiem.onmicrosoft.com\",\"Operation\":\"Add owner to application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Add owner to application.", - "id": "ccbe264f-f6bc-42bd-b5b6-2893ce2f465f", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", + "domain": "testsiem.onmicrosoft.com", "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-11T16:36:31.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Add service principal.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "48403af8-b712-4e63-a999-686b631240ac", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:36:31\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"AccountEnabled\\\",\\\"AppPrincipalId\\\",\\\"DisplayName\\\",\\\"ServicePrincipalName\\\",\\\"Credential\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"381d015d-6660-4dce-af99-4cd8c3b61d4d\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:36:31.1327910Z\"},{\"Name\":\"env_epoch\",\"Value\":\"NNJOH\"},{\"Name\":\"env_seqNum\",\"Value\":\"39121960\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##d409567a-16bf-49cb-a4c9-cb4608f62168_00000000-0000-0000-0000-000000000000_d409567a-16bf-49cb-a4c9-cb4608f62168\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR568\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"48403af8-b712-4e63-a999-686b631240ac\",\"ModifiedProperties\":[{\"Name\":\"AccountEnabled\",\"NewValue\":\"[\\r\\n true\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"AppPrincipalId\",\"NewValue\":\"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"DisplayName\",\"NewValue\":\"[\\r\\n \\\"siem2\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"ServicePrincipalName\",\"NewValue\":\"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Credential\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"CredentialType\\\": 2,\\r\\n \\\"KeyStoreId\\\": \\\"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\\\",\\r\\n \\\"KeyGroupId\\\": \\\"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\\\"\\r\\n }\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Add service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "67.43.156.15", - "ExtendedProperties": { - "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "siem2", - "env_appId": "restdirectoryservice", - "targetSPN": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", - "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-11T16:36:31.1327910Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "fb91e9f0-9485-4a68-89e9-a164d20ae855", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", - "correlationId": "381d015d-6660-4dce-af99-4cd8c3b61d4d", - "env_cloud_roleInstance": "AM5RRDSR568", - "env_cv": "##d409567a-16bf-49cb-a4c9-cb4608f62168_00000000-0000-0000-0000-000000000000_d409567a-16bf-49cb-a4c9-cb4608f62168", - "resultType": "Success", - "auditEventCategory": "ApplicationManagement", - "actorUPN": "asr@testsiem.onmicrosoft.com", - "env_popSample": "0", - "env_seqNum": "39121960", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", - "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"AccountEnabled\",\"AppPrincipalId\",\"DisplayName\",\"ServicePrincipalName\",\"Credential\",\"TargetId.ServicePrincipalNames\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "extendedAuditEventCategory": "ServicePrincipal", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "env_epoch": "NNJOH", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" - }, - "Target": [ + "Actor": [ { - "Type": 2, - "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855" + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 }, { - "Type": 2, - "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855" + "ID": "1003200096971F55", + "Type": 3 }, { - "Type": 2, - "ID": "ServicePrincipal" + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "Type": 1, - "ID": "siem2" + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 2, - "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40" + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 4, - "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40" + "ID": "User", + "Type": 2 } ], - "RecordType": "8", + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-11T16:36:31", + "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "actorObjectClass": "User", + "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "auditEventCategory": "ApplicationManagement", + "correlationId": "381d015d-6660-4dce-af99-4cd8c3b61d4d", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", + "env_cloud_roleInstance": "AM5RRDSR568", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", + "env_cv": "##d409567a-16bf-49cb-a4c9-cb4608f62168_00000000-0000-0000-0000-000000000000_d409567a-16bf-49cb-a4c9-cb4608f62168", + "env_epoch": "NNJOH", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", + "env_popSample": "0", + "env_seqNum": "39121960", + "env_time": "2020-02-11T16:36:31.1327910Z", + "env_ver": "2.1", + "extendedAuditEventCategory": "ServicePrincipal", + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"AccountEnabled\",\"AppPrincipalId\",\"DisplayName\",\"ServicePrincipalName\",\"Credential\",\"TargetId.ServicePrincipalNames\"]", + "targetName": "siem2", + "targetObjectId": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "targetSPN": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "teamName": "MSODS.", + "version": "2" + }, "ModifiedProperties": { + "AccountEnabled": { + "NewValue": "[\r\n true\r\n]", + "OldValue": "[]" + }, "AppPrincipalId": { - "OldValue": "[]", - "NewValue": "[\r\n \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"\r\n]" + "NewValue": "[\r\n \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"\r\n]", + "OldValue": "[]" + }, + "Credential": { + "NewValue": "[\r\n {\r\n \"CredentialType\": 2,\r\n \"KeyStoreId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\",\r\n \"KeyGroupId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\"\r\n }\r\n]", + "OldValue": "[]" + }, + "DisplayName": { + "NewValue": "[\r\n \"siem2\"\r\n]", + "OldValue": "[]" }, "Included_Updated_Properties": { - "OldValue": "", - "NewValue": "AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential" + "NewValue": "AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential", + "OldValue": "" }, "ServicePrincipalName": { - "OldValue": "[]", - "NewValue": "[\r\n \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"\r\n]" - }, - "Credential": { - "OldValue": "[]", - "NewValue": "[\r\n {\r\n \"CredentialType\": 2,\r\n \"KeyStoreId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\",\r\n \"KeyGroupId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\"\r\n }\r\n]" + "NewValue": "[\r\n \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"\r\n]", + "OldValue": "[]" }, "TargetId_ServicePrincipalNames": { - "OldValue": "", - "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40" - }, - "AccountEnabled": { - "OldValue": "[]", - "NewValue": "[\r\n true\r\n]" - }, - "DisplayName": { - "OldValue": "[]", - "NewValue": "[\r\n \"siem2\"\r\n]" + "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "OldValue": "" } }, - "Version": "1", + "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ + "Target": [ { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" + "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855", + "Type": 2 }, { - "Type": 3, - "ID": "1003200096971F55" + "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "Type": 2 }, { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "ServicePrincipal", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "siem2", + "Type": 1 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "Type": 4 } ], - "CreationTime": "2020-02-11T16:36:31", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-11T16:36:31.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:47:58.413641626Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:36:31\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"AccountEnabled\\\",\\\"AppPrincipalId\\\",\\\"DisplayName\\\",\\\"ServicePrincipalName\\\",\\\"Credential\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"381d015d-6660-4dce-af99-4cd8c3b61d4d\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:36:31.1327910Z\"},{\"Name\":\"env_epoch\",\"Value\":\"NNJOH\"},{\"Name\":\"env_seqNum\",\"Value\":\"39121960\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##d409567a-16bf-49cb-a4c9-cb4608f62168_00000000-0000-0000-0000-000000000000_d409567a-16bf-49cb-a4c9-cb4608f62168\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR568\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"48403af8-b712-4e63-a999-686b631240ac\",\"ModifiedProperties\":[{\"Name\":\"AccountEnabled\",\"NewValue\":\"[\\r\\n true\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"AppPrincipalId\",\"NewValue\":\"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"DisplayName\",\"NewValue\":\"[\\r\\n \\\"siem2\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"ServicePrincipalName\",\"NewValue\":\"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Credential\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"CredentialType\\\": 2,\\r\\n \\\"KeyStoreId\\\": \\\"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\\\",\\r\\n \\\"KeyGroupId\\\": \\\"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\\\"\\r\\n }\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Add service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Add service principal.", - "id": "48403af8-b712-4e63-a999-686b631240ac", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-11T16:36:31.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Add service principal.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "48403af8-b712-4e63-a999-686b631240ac", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:36:31\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"AccountEnabled\\\",\\\"AppPrincipalId\\\",\\\"DisplayName\\\",\\\"ServicePrincipalName\\\",\\\"Credential\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"381d015d-6660-4dce-af99-4cd8c3b61d4d\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:36:31.1327910Z\"},{\"Name\":\"env_epoch\",\"Value\":\"NNJOH\"},{\"Name\":\"env_seqNum\",\"Value\":\"39121960\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##d409567a-16bf-49cb-a4c9-cb4608f62168_00000000-0000-0000-0000-000000000000_d409567a-16bf-49cb-a4c9-cb4608f62168\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR568\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"48403af8-b712-4e63-a999-686b631240ac\",\"ModifiedProperties\":[{\"Name\":\"AccountEnabled\",\"NewValue\":\"[\\r\\n true\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"AppPrincipalId\",\"NewValue\":\"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"DisplayName\",\"NewValue\":\"[\\r\\n \\\"siem2\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"ServicePrincipalName\",\"NewValue\":\"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Credential\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"CredentialType\\\": 2,\\r\\n \\\"KeyStoreId\\\": \\\"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\\\",\\r\\n \\\"KeyGroupId\\\": \\\"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\\\"\\r\\n }\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Add service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "67.43.156.15", - "ExtendedProperties": { - "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "siem2", - "env_appId": "restdirectoryservice", - "targetSPN": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", - "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-11T16:36:31.1327910Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "fb91e9f0-9485-4a68-89e9-a164d20ae855", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", - "correlationId": "381d015d-6660-4dce-af99-4cd8c3b61d4d", - "env_cloud_roleInstance": "AM5RRDSR568", - "env_cv": "##d409567a-16bf-49cb-a4c9-cb4608f62168_00000000-0000-0000-0000-000000000000_d409567a-16bf-49cb-a4c9-cb4608f62168", - "resultType": "Success", - "auditEventCategory": "ApplicationManagement", - "actorUPN": "asr@testsiem.onmicrosoft.com", - "env_popSample": "0", - "env_seqNum": "39121960", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", - "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"AccountEnabled\",\"AppPrincipalId\",\"DisplayName\",\"ServicePrincipalName\",\"Credential\",\"TargetId.ServicePrincipalNames\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "extendedAuditEventCategory": "ServicePrincipal", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "env_epoch": "NNJOH", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" - }, - "Target": [ + "Actor": [ { - "Type": 2, - "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855" + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 }, { - "Type": 2, - "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855" + "ID": "1003200096971F55", + "Type": 3 }, { - "Type": 2, - "ID": "ServicePrincipal" + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "Type": 1, - "ID": "siem2" + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 2, - "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40" + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 4, - "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40" + "ID": "User", + "Type": 2 } ], - "RecordType": "8", + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-11T16:36:31", + "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "actorObjectClass": "User", + "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "auditEventCategory": "ApplicationManagement", + "correlationId": "381d015d-6660-4dce-af99-4cd8c3b61d4d", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", + "env_cloud_roleInstance": "AM5RRDSR568", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", + "env_cv": "##d409567a-16bf-49cb-a4c9-cb4608f62168_00000000-0000-0000-0000-000000000000_d409567a-16bf-49cb-a4c9-cb4608f62168", + "env_epoch": "NNJOH", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", + "env_popSample": "0", + "env_seqNum": "39121960", + "env_time": "2020-02-11T16:36:31.1327910Z", + "env_ver": "2.1", + "extendedAuditEventCategory": "ServicePrincipal", + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"AccountEnabled\",\"AppPrincipalId\",\"DisplayName\",\"ServicePrincipalName\",\"Credential\",\"TargetId.ServicePrincipalNames\"]", + "targetName": "siem2", + "targetObjectId": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "targetSPN": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "teamName": "MSODS.", + "version": "2" + }, "ModifiedProperties": { + "AccountEnabled": { + "NewValue": "[\r\n true\r\n]", + "OldValue": "[]" + }, "AppPrincipalId": { - "OldValue": "[]", - "NewValue": "[\r\n \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"\r\n]" + "NewValue": "[\r\n \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"\r\n]", + "OldValue": "[]" + }, + "Credential": { + "NewValue": "[\r\n {\r\n \"CredentialType\": 2,\r\n \"KeyStoreId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\",\r\n \"KeyGroupId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\"\r\n }\r\n]", + "OldValue": "[]" + }, + "DisplayName": { + "NewValue": "[\r\n \"siem2\"\r\n]", + "OldValue": "[]" }, "Included_Updated_Properties": { - "OldValue": "", - "NewValue": "AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential" + "NewValue": "AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential", + "OldValue": "" }, "ServicePrincipalName": { - "OldValue": "[]", - "NewValue": "[\r\n \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"\r\n]" - }, - "Credential": { - "OldValue": "[]", - "NewValue": "[\r\n {\r\n \"CredentialType\": 2,\r\n \"KeyStoreId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\",\r\n \"KeyGroupId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\"\r\n }\r\n]" + "NewValue": "[\r\n \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"\r\n]", + "OldValue": "[]" }, "TargetId_ServicePrincipalNames": { - "OldValue": "", - "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40" - }, - "AccountEnabled": { - "OldValue": "[]", - "NewValue": "[\r\n true\r\n]" - }, - "DisplayName": { - "OldValue": "[]", - "NewValue": "[\r\n \"siem2\"\r\n]" + "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "OldValue": "" } }, - "Version": "1", + "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ + "Target": [ { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" + "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855", + "Type": 2 }, { - "Type": 3, - "ID": "1003200096971F55" + "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "Type": 2 }, { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "ServicePrincipal", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "siem2", + "Type": 1 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "Type": 4 } ], - "CreationTime": "2020-02-11T16:36:31", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-11T16:36:31.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:47:58.413642498Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:36:31\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"AccountEnabled\\\",\\\"AppPrincipalId\\\",\\\"DisplayName\\\",\\\"ServicePrincipalName\\\",\\\"Credential\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"381d015d-6660-4dce-af99-4cd8c3b61d4d\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:36:31.1327910Z\"},{\"Name\":\"env_epoch\",\"Value\":\"NNJOH\"},{\"Name\":\"env_seqNum\",\"Value\":\"39121960\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##d409567a-16bf-49cb-a4c9-cb4608f62168_00000000-0000-0000-0000-000000000000_d409567a-16bf-49cb-a4c9-cb4608f62168\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR568\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"48403af8-b712-4e63-a999-686b631240ac\",\"ModifiedProperties\":[{\"Name\":\"AccountEnabled\",\"NewValue\":\"[\\r\\n true\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"AppPrincipalId\",\"NewValue\":\"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"DisplayName\",\"NewValue\":\"[\\r\\n \\\"siem2\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"ServicePrincipalName\",\"NewValue\":\"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Credential\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"CredentialType\\\": 2,\\r\\n \\\"KeyStoreId\\\": \\\"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\\\",\\r\\n \\\"KeyGroupId\\\": \\\"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\\\"\\r\\n }\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Add service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Add service principal.", - "id": "48403af8-b712-4e63-a999-686b631240ac", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-11T16:36:31.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Add service principal.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "48403af8-b712-4e63-a999-686b631240ac", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:36:31\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"AccountEnabled\\\",\\\"AppPrincipalId\\\",\\\"DisplayName\\\",\\\"ServicePrincipalName\\\",\\\"Credential\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"381d015d-6660-4dce-af99-4cd8c3b61d4d\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:36:31.1327910Z\"},{\"Name\":\"env_epoch\",\"Value\":\"NNJOH\"},{\"Name\":\"env_seqNum\",\"Value\":\"39121960\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##d409567a-16bf-49cb-a4c9-cb4608f62168_00000000-0000-0000-0000-000000000000_d409567a-16bf-49cb-a4c9-cb4608f62168\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR568\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"48403af8-b712-4e63-a999-686b631240ac\",\"ModifiedProperties\":[{\"Name\":\"AccountEnabled\",\"NewValue\":\"[\\r\\n true\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"AppPrincipalId\",\"NewValue\":\"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"DisplayName\",\"NewValue\":\"[\\r\\n \\\"siem2\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"ServicePrincipalName\",\"NewValue\":\"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Credential\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"CredentialType\\\": 2,\\r\\n \\\"KeyStoreId\\\": \\\"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\\\",\\r\\n \\\"KeyGroupId\\\": \\\"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\\\"\\r\\n }\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Add service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-11T16:36:31", "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "siem2", - "env_appId": "restdirectoryservice", - "targetSPN": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-11T16:36:31.1327910Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "fb91e9f0-9485-4a68-89e9-a164d20ae855", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", - "correlationId": "381d015d-6660-4dce-af99-4cd8c3b61d4d", - "env_cloud_roleInstance": "AM5RRDSR568", - "env_cv": "##d409567a-16bf-49cb-a4c9-cb4608f62168_00000000-0000-0000-0000-000000000000_d409567a-16bf-49cb-a4c9-cb4608f62168", - "resultType": "Success", - "auditEventCategory": "ApplicationManagement", + "actorPUID": "1003200096971F55", "actorUPN": "asr@testsiem.onmicrosoft.com", - "env_popSample": "0", - "env_seqNum": "39121960", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", - "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"AccountEnabled\",\"AppPrincipalId\",\"DisplayName\",\"ServicePrincipalName\",\"Credential\",\"TargetId.ServicePrincipalNames\"]", "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "extendedAuditEventCategory": "ServicePrincipal", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "auditEventCategory": "ApplicationManagement", + "correlationId": "381d015d-6660-4dce-af99-4cd8c3b61d4d", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", + "env_cloud_roleInstance": "AM5RRDSR568", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", + "env_cv": "##d409567a-16bf-49cb-a4c9-cb4608f62168_00000000-0000-0000-0000-000000000000_d409567a-16bf-49cb-a4c9-cb4608f62168", "env_epoch": "NNJOH", "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", + "env_popSample": "0", + "env_seqNum": "39121960", + "env_time": "2020-02-11T16:36:31.1327910Z", + "env_ver": "2.1", + "extendedAuditEventCategory": "ServicePrincipal", + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"AccountEnabled\",\"AppPrincipalId\",\"DisplayName\",\"ServicePrincipalName\",\"Credential\",\"TargetId.ServicePrincipalNames\"]", + "targetName": "siem2", + "targetObjectId": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "targetSPN": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "teamName": "MSODS.", + "version": "2" }, - "Target": [ - { - "Type": 2, - "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855" - }, - { - "Type": 2, - "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855" - }, - { - "Type": 2, - "ID": "ServicePrincipal" + "ModifiedProperties": { + "AccountEnabled": { + "NewValue": "[\r\n true\r\n]", + "OldValue": "[]" }, - { - "Type": 1, - "ID": "siem2" + "AppPrincipalId": { + "NewValue": "[\r\n \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"\r\n]", + "OldValue": "[]" }, - { - "Type": 2, - "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40" + "Credential": { + "NewValue": "[\r\n {\r\n \"CredentialType\": 2,\r\n \"KeyStoreId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\",\r\n \"KeyGroupId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\"\r\n }\r\n]", + "OldValue": "[]" }, - { - "Type": 4, - "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40" - } - ], - "RecordType": "8", - "ModifiedProperties": { - "AppPrincipalId": { - "OldValue": "[]", - "NewValue": "[\r\n \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"\r\n]" + "DisplayName": { + "NewValue": "[\r\n \"siem2\"\r\n]", + "OldValue": "[]" }, "Included_Updated_Properties": { - "OldValue": "", - "NewValue": "AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential" + "NewValue": "AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential", + "OldValue": "" }, "ServicePrincipalName": { - "OldValue": "[]", - "NewValue": "[\r\n \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"\r\n]" - }, - "Credential": { - "OldValue": "[]", - "NewValue": "[\r\n {\r\n \"CredentialType\": 2,\r\n \"KeyStoreId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\",\r\n \"KeyGroupId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\"\r\n }\r\n]" + "NewValue": "[\r\n \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"\r\n]", + "OldValue": "[]" }, "TargetId_ServicePrincipalNames": { - "OldValue": "", - "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40" - }, - "AccountEnabled": { - "OldValue": "[]", - "NewValue": "[\r\n true\r\n]" - }, - "DisplayName": { - "OldValue": "[]", - "NewValue": "[\r\n \"siem2\"\r\n]" + "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "OldValue": "" } }, - "Version": "1", + "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ + "Target": [ { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" + "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855", + "Type": 2 }, { - "Type": 3, - "ID": "1003200096971F55" + "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "Type": 2 }, { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "ServicePrincipal", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "siem2", + "Type": 1 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "Type": 4 } ], - "CreationTime": "2020-02-11T16:36:31", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-11T16:36:31.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:47:58.413643407Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:36:31\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"AccountEnabled\\\",\\\"AppPrincipalId\\\",\\\"DisplayName\\\",\\\"ServicePrincipalName\\\",\\\"Credential\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"381d015d-6660-4dce-af99-4cd8c3b61d4d\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:36:31.1327910Z\"},{\"Name\":\"env_epoch\",\"Value\":\"NNJOH\"},{\"Name\":\"env_seqNum\",\"Value\":\"39121960\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##d409567a-16bf-49cb-a4c9-cb4608f62168_00000000-0000-0000-0000-000000000000_d409567a-16bf-49cb-a4c9-cb4608f62168\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR568\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"48403af8-b712-4e63-a999-686b631240ac\",\"ModifiedProperties\":[{\"Name\":\"AccountEnabled\",\"NewValue\":\"[\\r\\n true\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"AppPrincipalId\",\"NewValue\":\"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"DisplayName\",\"NewValue\":\"[\\r\\n \\\"siem2\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"ServicePrincipalName\",\"NewValue\":\"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Credential\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"CredentialType\\\": 2,\\r\\n \\\"KeyStoreId\\\": \\\"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\\\",\\r\\n \\\"KeyGroupId\\\": \\\"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\\\"\\r\\n }\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Add service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Add service principal.", - "id": "48403af8-b712-4e63-a999-686b631240ac", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-11T16:36:31.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Add service principal.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "48403af8-b712-4e63-a999-686b631240ac", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:36:31\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"AccountEnabled\\\",\\\"AppPrincipalId\\\",\\\"DisplayName\\\",\\\"ServicePrincipalName\\\",\\\"Credential\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"381d015d-6660-4dce-af99-4cd8c3b61d4d\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:36:31.1327910Z\"},{\"Name\":\"env_epoch\",\"Value\":\"NNJOH\"},{\"Name\":\"env_seqNum\",\"Value\":\"39121960\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##d409567a-16bf-49cb-a4c9-cb4608f62168_00000000-0000-0000-0000-000000000000_d409567a-16bf-49cb-a4c9-cb4608f62168\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR568\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"48403af8-b712-4e63-a999-686b631240ac\",\"ModifiedProperties\":[{\"Name\":\"AccountEnabled\",\"NewValue\":\"[\\r\\n true\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"AppPrincipalId\",\"NewValue\":\"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"DisplayName\",\"NewValue\":\"[\\r\\n \\\"siem2\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"ServicePrincipalName\",\"NewValue\":\"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Credential\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"CredentialType\\\": 2,\\r\\n \\\"KeyStoreId\\\": \\\"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\\\",\\r\\n \\\"KeyGroupId\\\": \\\"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\\\"\\r\\n }\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Add service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "67.43.156.15", - "ExtendedProperties": { - "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "siem2", - "env_appId": "restdirectoryservice", - "targetSPN": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", - "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-11T16:36:31.1327910Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "fb91e9f0-9485-4a68-89e9-a164d20ae855", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", - "correlationId": "381d015d-6660-4dce-af99-4cd8c3b61d4d", - "env_cloud_roleInstance": "AM5RRDSR568", - "env_cv": "##d409567a-16bf-49cb-a4c9-cb4608f62168_00000000-0000-0000-0000-000000000000_d409567a-16bf-49cb-a4c9-cb4608f62168", - "resultType": "Success", - "auditEventCategory": "ApplicationManagement", - "actorUPN": "asr@testsiem.onmicrosoft.com", - "env_popSample": "0", - "env_seqNum": "39121960", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", - "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"AccountEnabled\",\"AppPrincipalId\",\"DisplayName\",\"ServicePrincipalName\",\"Credential\",\"TargetId.ServicePrincipalNames\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "extendedAuditEventCategory": "ServicePrincipal", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "env_epoch": "NNJOH", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" - }, - "Target": [ + "Actor": [ { - "Type": 2, - "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855" + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 }, { - "Type": 2, - "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855" + "ID": "1003200096971F55", + "Type": 3 }, { - "Type": 2, - "ID": "ServicePrincipal" + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "Type": 1, - "ID": "siem2" + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 2, - "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40" + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 4, - "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40" + "ID": "User", + "Type": 2 } ], - "RecordType": "8", + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-11T16:36:31", + "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "actorObjectClass": "User", + "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "auditEventCategory": "ApplicationManagement", + "correlationId": "381d015d-6660-4dce-af99-4cd8c3b61d4d", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", + "env_cloud_roleInstance": "AM5RRDSR568", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", + "env_cv": "##d409567a-16bf-49cb-a4c9-cb4608f62168_00000000-0000-0000-0000-000000000000_d409567a-16bf-49cb-a4c9-cb4608f62168", + "env_epoch": "NNJOH", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", + "env_popSample": "0", + "env_seqNum": "39121960", + "env_time": "2020-02-11T16:36:31.1327910Z", + "env_ver": "2.1", + "extendedAuditEventCategory": "ServicePrincipal", + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"AccountEnabled\",\"AppPrincipalId\",\"DisplayName\",\"ServicePrincipalName\",\"Credential\",\"TargetId.ServicePrincipalNames\"]", + "targetName": "siem2", + "targetObjectId": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "targetSPN": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "teamName": "MSODS.", + "version": "2" + }, "ModifiedProperties": { + "AccountEnabled": { + "NewValue": "[\r\n true\r\n]", + "OldValue": "[]" + }, "AppPrincipalId": { - "OldValue": "[]", - "NewValue": "[\r\n \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"\r\n]" + "NewValue": "[\r\n \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"\r\n]", + "OldValue": "[]" + }, + "Credential": { + "NewValue": "[\r\n {\r\n \"CredentialType\": 2,\r\n \"KeyStoreId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\",\r\n \"KeyGroupId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\"\r\n }\r\n]", + "OldValue": "[]" + }, + "DisplayName": { + "NewValue": "[\r\n \"siem2\"\r\n]", + "OldValue": "[]" }, "Included_Updated_Properties": { - "OldValue": "", - "NewValue": "AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential" + "NewValue": "AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential", + "OldValue": "" }, "ServicePrincipalName": { - "OldValue": "[]", - "NewValue": "[\r\n \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"\r\n]" - }, - "Credential": { - "OldValue": "[]", - "NewValue": "[\r\n {\r\n \"CredentialType\": 2,\r\n \"KeyStoreId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\",\r\n \"KeyGroupId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\"\r\n }\r\n]" + "NewValue": "[\r\n \"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"\r\n]", + "OldValue": "[]" }, "TargetId_ServicePrincipalNames": { - "OldValue": "", - "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40" - }, - "AccountEnabled": { - "OldValue": "[]", - "NewValue": "[\r\n true\r\n]" - }, - "DisplayName": { - "OldValue": "[]", - "NewValue": "[\r\n \"siem2\"\r\n]" + "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "OldValue": "" } }, - "Version": "1", + "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ + "Target": [ { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" + "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855", + "Type": 2 }, { - "Type": 3, - "ID": "1003200096971F55" + "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "Type": 2 }, { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "ServicePrincipal", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "siem2", + "Type": 1 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "Type": 4 } ], - "CreationTime": "2020-02-11T16:36:31", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-11T16:36:31.000Z", - "ecs": { - "version": "8.0.0" - }, - "related": { - "user": [ - "asr" - ], - "ip": [ - "67.43.156.15" - ] - }, "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", - "ip": "67.43.156.15" + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, - "event": { - "ingested": "2022-01-02T03:47:58.413644331Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:36:31\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"AccountEnabled\\\",\\\"AppPrincipalId\\\",\\\"DisplayName\\\",\\\"ServicePrincipalName\\\",\\\"Credential\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"381d015d-6660-4dce-af99-4cd8c3b61d4d\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:36:31.1327910Z\"},{\"Name\":\"env_epoch\",\"Value\":\"NNJOH\"},{\"Name\":\"env_seqNum\",\"Value\":\"39121960\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##d409567a-16bf-49cb-a4c9-cb4608f62168_00000000-0000-0000-0000-000000000000_d409567a-16bf-49cb-a4c9-cb4608f62168\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR568\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"48403af8-b712-4e63-a999-686b631240ac\",\"ModifiedProperties\":[{\"Name\":\"AccountEnabled\",\"NewValue\":\"[\\r\\n true\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"AppPrincipalId\",\"NewValue\":\"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"DisplayName\",\"NewValue\":\"[\\r\\n \\\"siem2\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"ServicePrincipalName\",\"NewValue\":\"[\\r\\n \\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Credential\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"CredentialType\\\": 2,\\r\\n \\\"KeyStoreId\\\": \\\"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\\\",\\r\\n \\\"KeyGroupId\\\": \\\"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\\\"\\r\\n }\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Add service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Add service principal.", - "id": "48403af8-b712-4e63-a999-686b631240ac", - "type": [ - "info" - ], - "category": [ - "web" + "related": { + "ip": [ + "67.43.156.15" ], - "outcome": "success" + "user": [ + "asr" + ] + }, + "source": { + "ip": "67.43.156.15" }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-11T16:42:45.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Update application.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "aaa361ac-50e8-43f4-9aaf-c19c09e3e3bc", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:42:45\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[]\"},{\"Name\":\"correlationId\",\"Value\":\"531446ed-abd2-468f-96a8-a4dcc7b05168\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:42:45.0442303Z\"},{\"Name\":\"env_epoch\",\"Value\":\"VYXPT\"},{\"Name\":\"env_seqNum\",\"Value\":\"45826392\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##51f1503a-20a3-43cd-b898-bea330e149be_00000000-0000-0000-0000-000000000000_51f1503a-20a3-43cd-b898-bea330e149be\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR559\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"aaa361ac-50e8-43f4-9aaf-c19c09e3e3bc\",\"ModifiedProperties\":[],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "Not Available", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-11T16:42:45", "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "siem2", - "env_appId": "restdirectoryservice", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-11T16:42:45.0442303Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "33cdc459-1335-4d6c-b773-f5eef4df7793", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "auditEventCategory": "ApplicationManagement", "correlationId": "531446ed-abd2-468f-96a8-a4dcc7b05168", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", "env_cloud_roleInstance": "AM5RRDSR559", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", "env_cv": "##51f1503a-20a3-43cd-b898-bea330e149be_00000000-0000-0000-0000-000000000000_51f1503a-20a3-43cd-b898-bea330e149be", - "resultType": "Success", - "auditEventCategory": "ApplicationManagement", - "actorUPN": "asr@testsiem.onmicrosoft.com", + "env_epoch": "VYXPT", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", "env_popSample": "0", "env_seqNum": "45826392", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", + "env_time": "2020-02-11T16:42:45.0442303Z", "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", "extendedAuditEventCategory": "Application", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "env_epoch": "VYXPT", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[]", + "targetName": "siem2", + "targetObjectId": "33cdc459-1335-4d6c-b773-f5eef4df7793", + "teamName": "MSODS.", + "version": "2" }, + "ModifiedProperties": {}, + "ObjectId": "Not Available", + "RecordType": "8", + "ResultStatus": "Success", + "SupportTicketId": "", "Target": [ { - "Type": 2, - "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793" + "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793", + "Type": 2 }, { - "Type": 2, - "ID": "33cdc459-1335-4d6c-b773-f5eef4df7793" + "ID": "33cdc459-1335-4d6c-b773-f5eef4df7793", + "Type": 2 }, { - "Type": 2, - "ID": "Application" + "ID": "Application", + "Type": 2 }, { - "Type": 1, - "ID": "siem2" + "ID": "siem2", + "Type": 1 } ], - "RecordType": "8", - "ModifiedProperties": {}, - "Version": "1", - "SupportTicketId": "", "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ - { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" - }, - { - "Type": 3, - "ID": "1003200096971F55" - }, - { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" - }, - { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" - }, - { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" - }, - { - "Type": 2, - "ID": "User" - } - ], - "CreationTime": "2020-02-11T16:42:45", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-11T16:42:45.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:47:58.413645280Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:42:45\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[]\"},{\"Name\":\"correlationId\",\"Value\":\"531446ed-abd2-468f-96a8-a4dcc7b05168\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:42:45.0442303Z\"},{\"Name\":\"env_epoch\",\"Value\":\"VYXPT\"},{\"Name\":\"env_seqNum\",\"Value\":\"45826392\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##51f1503a-20a3-43cd-b898-bea330e149be_00000000-0000-0000-0000-000000000000_51f1503a-20a3-43cd-b898-bea330e149be\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR559\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"aaa361ac-50e8-43f4-9aaf-c19c09e3e3bc\",\"ModifiedProperties\":[],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Update application.", - "id": "aaa361ac-50e8-43f4-9aaf-c19c09e3e3bc", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "Not Available" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-11T16:42:45.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Update application – Certificates and secrets management ", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "20a82fa1-625b-491a-a3e8-54d779a9b17e", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:42:45\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"KeyDescription\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"531446ed-abd2-468f-96a8-a4dcc7b05168\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:42:45.0442303Z\"},{\"Name\":\"env_epoch\",\"Value\":\"VYXPT\"},{\"Name\":\"env_seqNum\",\"Value\":\"45826385\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##51f1503a-20a3-43cd-b898-bea330e149be_00000000-0000-0000-0000-000000000000_51f1503a-20a3-43cd-b898-bea330e149be\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR559\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"20a82fa1-625b-491a-a3e8-54d779a9b17e\",\"ModifiedProperties\":[{\"Name\":\"KeyDescription\",\"NewValue\":\"[\\r\\n \\\"[KeyIdentifier=6d944a5f-234c-4879-8de4-39f089d8b96b,KeyType=AsymmetricX509Cert,KeyUsage=Verify,DisplayName=E=asr@example.net, CN=testsiem.onmicrosoft.com, OU=SIEM, O=Elastic, L=Barcelona, S=Barce]\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"KeyDescription\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application – Certificates and secrets management \",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "Not Available", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "67.43.156.15", - "ExtendedProperties": { - "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "siem2", - "env_appId": "restdirectoryservice", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", - "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-11T16:42:45.0442303Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "33cdc459-1335-4d6c-b773-f5eef4df7793", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", - "correlationId": "531446ed-abd2-468f-96a8-a4dcc7b05168", - "env_cloud_roleInstance": "AM5RRDSR559", - "env_cv": "##51f1503a-20a3-43cd-b898-bea330e149be_00000000-0000-0000-0000-000000000000_51f1503a-20a3-43cd-b898-bea330e149be", - "resultType": "Success", - "actorUPN": "asr@testsiem.onmicrosoft.com", - "auditEventCategory": "ApplicationManagement", - "env_popSample": "0", - "env_seqNum": "45826385", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", - "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"KeyDescription\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "extendedAuditEventCategory": "Application", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "env_epoch": "VYXPT", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" - }, - "Target": [ + "Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, { - "Type": 2, - "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793" + "ID": "1003200096971F55", + "Type": 3 }, { - "Type": 2, - "ID": "33cdc459-1335-4d6c-b773-f5eef4df7793" + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "Type": 2, - "ID": "Application" + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 1, - "ID": "siem2" + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 } ], - "RecordType": "8", + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-11T16:42:45", + "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "actorObjectClass": "User", + "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "auditEventCategory": "ApplicationManagement", + "correlationId": "531446ed-abd2-468f-96a8-a4dcc7b05168", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", + "env_cloud_roleInstance": "AM5RRDSR559", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", + "env_cv": "##51f1503a-20a3-43cd-b898-bea330e149be_00000000-0000-0000-0000-000000000000_51f1503a-20a3-43cd-b898-bea330e149be", + "env_epoch": "VYXPT", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", + "env_popSample": "0", + "env_seqNum": "45826385", + "env_time": "2020-02-11T16:42:45.0442303Z", + "env_ver": "2.1", + "extendedAuditEventCategory": "Application", + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"KeyDescription\"]", + "targetName": "siem2", + "targetObjectId": "33cdc459-1335-4d6c-b773-f5eef4df7793", + "teamName": "MSODS.", + "version": "2" + }, "ModifiedProperties": { "Included_Updated_Properties": { - "OldValue": "", - "NewValue": "KeyDescription" + "NewValue": "KeyDescription", + "OldValue": "" }, "KeyDescription": { - "OldValue": "[]", - "NewValue": "[\r\n \"[KeyIdentifier=6d944a5f-234c-4879-8de4-39f089d8b96b,KeyType=AsymmetricX509Cert,KeyUsage=Verify,DisplayName=E=asr@example.net, CN=testsiem.onmicrosoft.com, OU=SIEM, O=Elastic, L=Barcelona, S=Barce]\"\r\n]" + "NewValue": "[\r\n \"[KeyIdentifier=6d944a5f-234c-4879-8de4-39f089d8b96b,KeyType=AsymmetricX509Cert,KeyUsage=Verify,DisplayName=E=asr@example.net, CN=testsiem.onmicrosoft.com, OU=SIEM, O=Elastic, L=Barcelona, S=Barce]\"\r\n]", + "OldValue": "[]" } }, - "Version": "1", + "ObjectId": "Not Available", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ - { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" - }, - { - "Type": 3, - "ID": "1003200096971F55" - }, + "Target": [ { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "33cdc459-1335-4d6c-b773-f5eef4df7793", + "Type": 2 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "Application", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "siem2", + "Type": 1 } ], - "CreationTime": "2020-02-11T16:42:45", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-11T16:42:45.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:47:58.413646297Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:42:45\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"KeyDescription\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"531446ed-abd2-468f-96a8-a4dcc7b05168\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:42:45.0442303Z\"},{\"Name\":\"env_epoch\",\"Value\":\"VYXPT\"},{\"Name\":\"env_seqNum\",\"Value\":\"45826385\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##51f1503a-20a3-43cd-b898-bea330e149be_00000000-0000-0000-0000-000000000000_51f1503a-20a3-43cd-b898-bea330e149be\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR559\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"20a82fa1-625b-491a-a3e8-54d779a9b17e\",\"ModifiedProperties\":[{\"Name\":\"KeyDescription\",\"NewValue\":\"[\\r\\n \\\"[KeyIdentifier=6d944a5f-234c-4879-8de4-39f089d8b96b,KeyType=AsymmetricX509Cert,KeyUsage=Verify,DisplayName=E=asr@example.net, CN=testsiem.onmicrosoft.com, OU=SIEM, O=Elastic, L=Barcelona, S=Barce]\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"KeyDescription\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application – Certificates and secrets management \",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Update application – Certificates and secrets management ", - "id": "20a82fa1-625b-491a-a3e8-54d779a9b17e", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "Not Available" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-11T16:42:45.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Update application – Certificates and secrets management ", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "20a82fa1-625b-491a-a3e8-54d779a9b17e", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:42:45\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"KeyDescription\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"531446ed-abd2-468f-96a8-a4dcc7b05168\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:42:45.0442303Z\"},{\"Name\":\"env_epoch\",\"Value\":\"VYXPT\"},{\"Name\":\"env_seqNum\",\"Value\":\"45826385\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##51f1503a-20a3-43cd-b898-bea330e149be_00000000-0000-0000-0000-000000000000_51f1503a-20a3-43cd-b898-bea330e149be\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR559\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"20a82fa1-625b-491a-a3e8-54d779a9b17e\",\"ModifiedProperties\":[{\"Name\":\"KeyDescription\",\"NewValue\":\"[\\r\\n \\\"[KeyIdentifier=6d944a5f-234c-4879-8de4-39f089d8b96b,KeyType=AsymmetricX509Cert,KeyUsage=Verify,DisplayName=E=asr@example.net, CN=testsiem.onmicrosoft.com, OU=SIEM, O=Elastic, L=Barcelona, S=Barce]\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"KeyDescription\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application – Certificates and secrets management \",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "Not Available", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-11T16:42:45", "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "siem2", - "env_appId": "restdirectoryservice", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-11T16:42:45.0442303Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "33cdc459-1335-4d6c-b773-f5eef4df7793", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "auditEventCategory": "ApplicationManagement", "correlationId": "531446ed-abd2-468f-96a8-a4dcc7b05168", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", "env_cloud_roleInstance": "AM5RRDSR559", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", "env_cv": "##51f1503a-20a3-43cd-b898-bea330e149be_00000000-0000-0000-0000-000000000000_51f1503a-20a3-43cd-b898-bea330e149be", - "resultType": "Success", - "actorUPN": "asr@testsiem.onmicrosoft.com", - "auditEventCategory": "ApplicationManagement", + "env_epoch": "VYXPT", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", "env_popSample": "0", "env_seqNum": "45826385", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", + "env_time": "2020-02-11T16:42:45.0442303Z", "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"KeyDescription\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", "extendedAuditEventCategory": "Application", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "env_epoch": "VYXPT", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"KeyDescription\"]", + "targetName": "siem2", + "targetObjectId": "33cdc459-1335-4d6c-b773-f5eef4df7793", + "teamName": "MSODS.", + "version": "2" }, - "Target": [ - { - "Type": 2, - "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793" - }, - { - "Type": 2, - "ID": "33cdc459-1335-4d6c-b773-f5eef4df7793" - }, - { - "Type": 2, - "ID": "Application" - }, - { - "Type": 1, - "ID": "siem2" - } - ], - "RecordType": "8", "ModifiedProperties": { "Included_Updated_Properties": { - "OldValue": "", - "NewValue": "KeyDescription" + "NewValue": "KeyDescription", + "OldValue": "" }, "KeyDescription": { - "OldValue": "[]", - "NewValue": "[\r\n \"[KeyIdentifier=6d944a5f-234c-4879-8de4-39f089d8b96b,KeyType=AsymmetricX509Cert,KeyUsage=Verify,DisplayName=E=asr@example.net, CN=testsiem.onmicrosoft.com, OU=SIEM, O=Elastic, L=Barcelona, S=Barce]\"\r\n]" + "NewValue": "[\r\n \"[KeyIdentifier=6d944a5f-234c-4879-8de4-39f089d8b96b,KeyType=AsymmetricX509Cert,KeyUsage=Verify,DisplayName=E=asr@example.net, CN=testsiem.onmicrosoft.com, OU=SIEM, O=Elastic, L=Barcelona, S=Barce]\"\r\n]", + "OldValue": "[]" } }, - "Version": "1", + "ObjectId": "Not Available", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ - { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" - }, - { - "Type": 3, - "ID": "1003200096971F55" - }, + "Target": [ { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "33cdc459-1335-4d6c-b773-f5eef4df7793", + "Type": 2 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "Application", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "siem2", + "Type": 1 } ], - "CreationTime": "2020-02-11T16:42:45", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-11T16:42:45.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" - ] - }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", - "ip": "67.43.156.15" - }, - "event": { - "ingested": "2022-01-02T03:47:58.413647128Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:42:45\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"KeyDescription\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"531446ed-abd2-468f-96a8-a4dcc7b05168\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:42:45.0442303Z\"},{\"Name\":\"env_epoch\",\"Value\":\"VYXPT\"},{\"Name\":\"env_seqNum\",\"Value\":\"45826385\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##51f1503a-20a3-43cd-b898-bea330e149be_00000000-0000-0000-0000-000000000000_51f1503a-20a3-43cd-b898-bea330e149be\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR559\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"20a82fa1-625b-491a-a3e8-54d779a9b17e\",\"ModifiedProperties\":[{\"Name\":\"KeyDescription\",\"NewValue\":\"[\\r\\n \\\"[KeyIdentifier=6d944a5f-234c-4879-8de4-39f089d8b96b,KeyType=AsymmetricX509Cert,KeyUsage=Verify,DisplayName=E=asr@example.net, CN=testsiem.onmicrosoft.com, OU=SIEM, O=Elastic, L=Barcelona, S=Barce]\\\"\\r\\n]\",\"OldValue\":\"[]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"KeyDescription\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application – Certificates and secrets management \",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Update application – Certificates and secrets management ", - "id": "20a82fa1-625b-491a-a3e8-54d779a9b17e", - "type": [ - "info" ], - "category": [ - "web" - ], - "outcome": "success" + "user": [ + "asr" + ] + }, + "source": { + "ip": "67.43.156.15" }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "Not Available" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-11T16:42:45.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Update service principal.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "15adbe69-7974-41ec-8341-208456600ad3", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:42:45\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"531446ed-abd2-468f-96a8-a4dcc7b05168\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:42:45.1042022Z\"},{\"Name\":\"env_epoch\",\"Value\":\"VYXPT\"},{\"Name\":\"env_seqNum\",\"Value\":\"45826464\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##51f1503a-20a3-43cd-b898-bea330e149be_00000000-0000-0000-0000-000000000000_51f1503a-20a3-43cd-b898-bea330e149be\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR559\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"15adbe69-7974-41ec-8341-208456600ad3\",\"ModifiedProperties\":[{\"Name\":\"Included Updated Properties\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Update service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "67.43.156.15", - "ExtendedProperties": { - "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "siem2", - "env_appId": "restdirectoryservice", - "targetSPN": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", - "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-11T16:42:45.1042022Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "fb91e9f0-9485-4a68-89e9-a164d20ae855", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", - "correlationId": "531446ed-abd2-468f-96a8-a4dcc7b05168", - "env_cloud_roleInstance": "AM5RRDSR559", - "env_cv": "##51f1503a-20a3-43cd-b898-bea330e149be_00000000-0000-0000-0000-000000000000_51f1503a-20a3-43cd-b898-bea330e149be", - "resultType": "Success", - "auditEventCategory": "ApplicationManagement", - "actorUPN": "asr@testsiem.onmicrosoft.com", - "env_popSample": "0", - "env_seqNum": "45826464", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", - "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"TargetId.ServicePrincipalNames\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "extendedAuditEventCategory": "ServicePrincipal", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "env_epoch": "VYXPT", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" - }, - "Target": [ + "Actor": [ { - "Type": 2, - "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855" + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 }, { - "Type": 2, - "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855" + "ID": "1003200096971F55", + "Type": 3 }, { - "Type": 2, - "ID": "ServicePrincipal" + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "Type": 1, - "ID": "siem2" + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 2, - "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40" + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 4, - "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40" + "ID": "User", + "Type": 2 } ], - "RecordType": "8", + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-11T16:42:45", + "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "actorObjectClass": "User", + "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "auditEventCategory": "ApplicationManagement", + "correlationId": "531446ed-abd2-468f-96a8-a4dcc7b05168", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", + "env_cloud_roleInstance": "AM5RRDSR559", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", + "env_cv": "##51f1503a-20a3-43cd-b898-bea330e149be_00000000-0000-0000-0000-000000000000_51f1503a-20a3-43cd-b898-bea330e149be", + "env_epoch": "VYXPT", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", + "env_popSample": "0", + "env_seqNum": "45826464", + "env_time": "2020-02-11T16:42:45.1042022Z", + "env_ver": "2.1", + "extendedAuditEventCategory": "ServicePrincipal", + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"TargetId.ServicePrincipalNames\"]", + "targetName": "siem2", + "targetObjectId": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "targetSPN": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "teamName": "MSODS.", + "version": "2" + }, "ModifiedProperties": { "Included_Updated_Properties": { - "OldValue": "", - "NewValue": "" + "NewValue": "", + "OldValue": "" }, "TargetId_ServicePrincipalNames": { - "OldValue": "", - "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40" + "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "OldValue": "" } }, - "Version": "1", + "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ + "Target": [ { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" + "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855", + "Type": 2 }, { - "Type": 3, - "ID": "1003200096971F55" + "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "Type": 2 }, { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "ServicePrincipal", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "siem2", + "Type": 1 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "Type": 4 } ], - "CreationTime": "2020-02-11T16:42:45", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-11T16:42:45.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:47:58.413648173Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:42:45\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"531446ed-abd2-468f-96a8-a4dcc7b05168\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:42:45.1042022Z\"},{\"Name\":\"env_epoch\",\"Value\":\"VYXPT\"},{\"Name\":\"env_seqNum\",\"Value\":\"45826464\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##51f1503a-20a3-43cd-b898-bea330e149be_00000000-0000-0000-0000-000000000000_51f1503a-20a3-43cd-b898-bea330e149be\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR559\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"15adbe69-7974-41ec-8341-208456600ad3\",\"ModifiedProperties\":[{\"Name\":\"Included Updated Properties\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Update service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Update service principal.", - "id": "15adbe69-7974-41ec-8341-208456600ad3", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-11T16:42:45.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], - "network": { - "type": "ipv4" + "ecs": { + "version": "8.0.0" }, - "o365": { - "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "67.43.156.15", - "ExtendedProperties": { - "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "siem2", - "env_appId": "restdirectoryservice", - "targetSPN": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", - "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-11T16:42:45.1042022Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "fb91e9f0-9485-4a68-89e9-a164d20ae855", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", - "correlationId": "531446ed-abd2-468f-96a8-a4dcc7b05168", - "env_cloud_roleInstance": "AM5RRDSR559", - "env_cv": "##51f1503a-20a3-43cd-b898-bea330e149be_00000000-0000-0000-0000-000000000000_51f1503a-20a3-43cd-b898-bea330e149be", - "resultType": "Success", - "auditEventCategory": "ApplicationManagement", - "actorUPN": "asr@testsiem.onmicrosoft.com", - "env_popSample": "0", - "env_seqNum": "45826464", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", - "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"TargetId.ServicePrincipalNames\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "extendedAuditEventCategory": "ServicePrincipal", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "env_epoch": "VYXPT", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" - }, - "Target": [ + "event": { + "action": "Update service principal.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "15adbe69-7974-41ec-8341-208456600ad3", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:42:45\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"531446ed-abd2-468f-96a8-a4dcc7b05168\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:42:45.1042022Z\"},{\"Name\":\"env_epoch\",\"Value\":\"VYXPT\"},{\"Name\":\"env_seqNum\",\"Value\":\"45826464\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##51f1503a-20a3-43cd-b898-bea330e149be_00000000-0000-0000-0000-000000000000_51f1503a-20a3-43cd-b898-bea330e149be\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR559\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"15adbe69-7974-41ec-8341-208456600ad3\",\"ModifiedProperties\":[{\"Name\":\"Included Updated Properties\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Update service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, + "network": { + "type": "ipv4" + }, + "o365": { + "audit": { + "Actor": [ { - "Type": 2, - "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855" + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 }, { - "Type": 2, - "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855" + "ID": "1003200096971F55", + "Type": 3 }, { - "Type": 2, - "ID": "ServicePrincipal" + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "Type": 1, - "ID": "siem2" + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 2, - "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40" + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 4, - "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40" + "ID": "User", + "Type": 2 } ], - "RecordType": "8", + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-11T16:42:45", + "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "actorObjectClass": "User", + "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "auditEventCategory": "ApplicationManagement", + "correlationId": "531446ed-abd2-468f-96a8-a4dcc7b05168", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", + "env_cloud_roleInstance": "AM5RRDSR559", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", + "env_cv": "##51f1503a-20a3-43cd-b898-bea330e149be_00000000-0000-0000-0000-000000000000_51f1503a-20a3-43cd-b898-bea330e149be", + "env_epoch": "VYXPT", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", + "env_popSample": "0", + "env_seqNum": "45826464", + "env_time": "2020-02-11T16:42:45.1042022Z", + "env_ver": "2.1", + "extendedAuditEventCategory": "ServicePrincipal", + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"TargetId.ServicePrincipalNames\"]", + "targetName": "siem2", + "targetObjectId": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "targetSPN": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "teamName": "MSODS.", + "version": "2" + }, "ModifiedProperties": { "Included_Updated_Properties": { - "OldValue": "", - "NewValue": "" + "NewValue": "", + "OldValue": "" }, "TargetId_ServicePrincipalNames": { - "OldValue": "", - "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40" + "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "OldValue": "" } }, - "Version": "1", + "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ + "Target": [ { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" + "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855", + "Type": 2 }, { - "Type": 3, - "ID": "1003200096971F55" + "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "Type": 2 }, { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "ServicePrincipal", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "siem2", + "Type": 1 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "Type": 4 } ], - "CreationTime": "2020-02-11T16:42:45", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-11T16:42:45.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:47:58.413649015Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:42:45\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"531446ed-abd2-468f-96a8-a4dcc7b05168\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:42:45.1042022Z\"},{\"Name\":\"env_epoch\",\"Value\":\"VYXPT\"},{\"Name\":\"env_seqNum\",\"Value\":\"45826464\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##51f1503a-20a3-43cd-b898-bea330e149be_00000000-0000-0000-0000-000000000000_51f1503a-20a3-43cd-b898-bea330e149be\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR559\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"15adbe69-7974-41ec-8341-208456600ad3\",\"ModifiedProperties\":[{\"Name\":\"Included Updated Properties\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Update service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Update service principal.", - "id": "15adbe69-7974-41ec-8341-208456600ad3", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-11T16:42:45.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Update service principal.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "15adbe69-7974-41ec-8341-208456600ad3", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:42:45\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"531446ed-abd2-468f-96a8-a4dcc7b05168\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:42:45.1042022Z\"},{\"Name\":\"env_epoch\",\"Value\":\"VYXPT\"},{\"Name\":\"env_seqNum\",\"Value\":\"45826464\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##51f1503a-20a3-43cd-b898-bea330e149be_00000000-0000-0000-0000-000000000000_51f1503a-20a3-43cd-b898-bea330e149be\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR559\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"15adbe69-7974-41ec-8341-208456600ad3\",\"ModifiedProperties\":[{\"Name\":\"Included Updated Properties\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Update service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "67.43.156.15", - "ExtendedProperties": { - "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "siem2", - "env_appId": "restdirectoryservice", - "targetSPN": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", - "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-11T16:42:45.1042022Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "fb91e9f0-9485-4a68-89e9-a164d20ae855", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", - "correlationId": "531446ed-abd2-468f-96a8-a4dcc7b05168", - "env_cloud_roleInstance": "AM5RRDSR559", - "env_cv": "##51f1503a-20a3-43cd-b898-bea330e149be_00000000-0000-0000-0000-000000000000_51f1503a-20a3-43cd-b898-bea330e149be", - "resultType": "Success", - "auditEventCategory": "ApplicationManagement", - "actorUPN": "asr@testsiem.onmicrosoft.com", - "env_popSample": "0", - "env_seqNum": "45826464", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", - "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"TargetId.ServicePrincipalNames\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "extendedAuditEventCategory": "ServicePrincipal", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "env_epoch": "VYXPT", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" - }, - "Target": [ + "Actor": [ { - "Type": 2, - "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855" + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 }, { - "Type": 2, - "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855" + "ID": "1003200096971F55", + "Type": 3 }, { - "Type": 2, - "ID": "ServicePrincipal" + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "Type": 1, - "ID": "siem2" + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 2, - "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40" + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 4, - "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40" + "ID": "User", + "Type": 2 } ], - "RecordType": "8", + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-11T16:42:45", + "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "actorObjectClass": "User", + "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "auditEventCategory": "ApplicationManagement", + "correlationId": "531446ed-abd2-468f-96a8-a4dcc7b05168", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", + "env_cloud_roleInstance": "AM5RRDSR559", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", + "env_cv": "##51f1503a-20a3-43cd-b898-bea330e149be_00000000-0000-0000-0000-000000000000_51f1503a-20a3-43cd-b898-bea330e149be", + "env_epoch": "VYXPT", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", + "env_popSample": "0", + "env_seqNum": "45826464", + "env_time": "2020-02-11T16:42:45.1042022Z", + "env_ver": "2.1", + "extendedAuditEventCategory": "ServicePrincipal", + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"TargetId.ServicePrincipalNames\"]", + "targetName": "siem2", + "targetObjectId": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "targetSPN": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "teamName": "MSODS.", + "version": "2" + }, "ModifiedProperties": { "Included_Updated_Properties": { - "OldValue": "", - "NewValue": "" + "NewValue": "", + "OldValue": "" }, "TargetId_ServicePrincipalNames": { - "OldValue": "", - "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40" + "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "OldValue": "" } }, - "Version": "1", + "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ + "Target": [ { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" + "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855", + "Type": 2 }, { - "Type": 3, - "ID": "1003200096971F55" + "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "Type": 2 }, { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "ServicePrincipal", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "siem2", + "Type": 1 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "Type": 4 } ], - "CreationTime": "2020-02-11T16:42:45", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-11T16:42:45.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" - ] - }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", - "ip": "67.43.156.15" - }, - "event": { - "ingested": "2022-01-02T03:47:58.413649865Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:42:45\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"531446ed-abd2-468f-96a8-a4dcc7b05168\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:42:45.1042022Z\"},{\"Name\":\"env_epoch\",\"Value\":\"VYXPT\"},{\"Name\":\"env_seqNum\",\"Value\":\"45826464\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##51f1503a-20a3-43cd-b898-bea330e149be_00000000-0000-0000-0000-000000000000_51f1503a-20a3-43cd-b898-bea330e149be\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR559\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"15adbe69-7974-41ec-8341-208456600ad3\",\"ModifiedProperties\":[{\"Name\":\"Included Updated Properties\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Update service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Update service principal.", - "id": "15adbe69-7974-41ec-8341-208456600ad3", - "type": [ - "info" - ], - "category": [ - "web" ], - "outcome": "success" + "user": [ + "asr" + ] + }, + "source": { + "ip": "67.43.156.15" }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-11T16:45:37.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Update application.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "d23b201c-5436-4ecc-a789-18d3f00ea76c", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:37\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"811fd012-35a6-4a0c-abce-79fb08b9ab6c\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:37.2045249Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34620418\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##ad2523c5-ea21-4329-8c31-ccbd1af8c337_00000000-0000-0000-0000-000000000000_ad2523c5-ea21-4329-8c31-ccbd1af8c337\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"d23b201c-5436-4ecc-a789-18d3f00ea76c\",\"ModifiedProperties\":[{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"594c1fb6-4f81-4475-ae41-0c394909246c\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "Not Available", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-11T16:45:37", "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "siem2", - "env_appId": "restdirectoryservice", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-11T16:45:37.2045249Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "33cdc459-1335-4d6c-b773-f5eef4df7793", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "auditEventCategory": "ApplicationManagement", "correlationId": "811fd012-35a6-4a0c-abce-79fb08b9ab6c", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", "env_cloud_roleInstance": "AM5RRDSR571", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", "env_cv": "##ad2523c5-ea21-4329-8c31-ccbd1af8c337_00000000-0000-0000-0000-000000000000_ad2523c5-ea21-4329-8c31-ccbd1af8c337", - "resultType": "Success", - "actorUPN": "asr@testsiem.onmicrosoft.com", - "auditEventCategory": "ApplicationManagement", + "env_epoch": "748B6", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", "env_popSample": "0", "env_seqNum": "34620418", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", + "env_time": "2020-02-11T16:45:37.2045249Z", "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"RequiredResourceAccess\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", "extendedAuditEventCategory": "Application", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "env_epoch": "748B6", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"RequiredResourceAccess\"]", + "targetName": "siem2", + "targetObjectId": "33cdc459-1335-4d6c-b773-f5eef4df7793", + "teamName": "MSODS.", + "version": "2" }, - "Target": [ - { - "Type": 2, - "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793" - }, - { - "Type": 2, - "ID": "33cdc459-1335-4d6c-b773-f5eef4df7793" - }, - { - "Type": 2, - "ID": "Application" - }, - { - "Type": 1, - "ID": "siem2" - } - ], - "RecordType": "8", "ModifiedProperties": { "Included_Updated_Properties": { - "OldValue": "", - "NewValue": "RequiredResourceAccess" + "NewValue": "RequiredResourceAccess", + "OldValue": "" }, "RequiredResourceAccess": { - "OldValue": "[\r\n {\r\n \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]", - "NewValue": "[\r\n {\r\n \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n },\r\n {\r\n \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"594c1fb6-4f81-4475-ae41-0c394909246c\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n },\r\n {\r\n \"EntitlementId\": \"4807a72c-ad38-4250-94c9-4eabfe26cd55\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n },\r\n {\r\n \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]" + "NewValue": "[\r\n {\r\n \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n },\r\n {\r\n \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"594c1fb6-4f81-4475-ae41-0c394909246c\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n },\r\n {\r\n \"EntitlementId\": \"4807a72c-ad38-4250-94c9-4eabfe26cd55\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n },\r\n {\r\n \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]", + "OldValue": "[\r\n {\r\n \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]" } }, - "Version": "1", + "ObjectId": "Not Available", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ - { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" - }, - { - "Type": 3, - "ID": "1003200096971F55" - }, + "Target": [ { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "33cdc459-1335-4d6c-b773-f5eef4df7793", + "Type": 2 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "Application", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "siem2", + "Type": 1 } ], - "CreationTime": "2020-02-11T16:45:37", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-11T16:45:37.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:47:58.413651432Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:37\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"811fd012-35a6-4a0c-abce-79fb08b9ab6c\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:37.2045249Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34620418\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##ad2523c5-ea21-4329-8c31-ccbd1af8c337_00000000-0000-0000-0000-000000000000_ad2523c5-ea21-4329-8c31-ccbd1af8c337\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"d23b201c-5436-4ecc-a789-18d3f00ea76c\",\"ModifiedProperties\":[{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"594c1fb6-4f81-4475-ae41-0c394909246c\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Update application.", - "id": "d23b201c-5436-4ecc-a789-18d3f00ea76c", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "Not Available" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-11T16:45:37.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Update application.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "d23b201c-5436-4ecc-a789-18d3f00ea76c", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:37\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"811fd012-35a6-4a0c-abce-79fb08b9ab6c\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:37.2045249Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34620418\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##ad2523c5-ea21-4329-8c31-ccbd1af8c337_00000000-0000-0000-0000-000000000000_ad2523c5-ea21-4329-8c31-ccbd1af8c337\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"d23b201c-5436-4ecc-a789-18d3f00ea76c\",\"ModifiedProperties\":[{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"594c1fb6-4f81-4475-ae41-0c394909246c\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "Not Available", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "67.43.156.15", - "ExtendedProperties": { - "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "siem2", - "env_appId": "restdirectoryservice", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", - "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-11T16:45:37.2045249Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "33cdc459-1335-4d6c-b773-f5eef4df7793", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", - "correlationId": "811fd012-35a6-4a0c-abce-79fb08b9ab6c", - "env_cloud_roleInstance": "AM5RRDSR571", - "env_cv": "##ad2523c5-ea21-4329-8c31-ccbd1af8c337_00000000-0000-0000-0000-000000000000_ad2523c5-ea21-4329-8c31-ccbd1af8c337", - "resultType": "Success", - "actorUPN": "asr@testsiem.onmicrosoft.com", - "auditEventCategory": "ApplicationManagement", - "env_popSample": "0", - "env_seqNum": "34620418", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", - "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"RequiredResourceAccess\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "extendedAuditEventCategory": "Application", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "env_epoch": "748B6", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" - }, - "Target": [ + "Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, { - "Type": 2, - "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793" + "ID": "1003200096971F55", + "Type": 3 }, { - "Type": 2, - "ID": "33cdc459-1335-4d6c-b773-f5eef4df7793" + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "Type": 2, - "ID": "Application" + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 1, - "ID": "siem2" + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 } ], - "RecordType": "8", + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-11T16:45:37", + "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "actorObjectClass": "User", + "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "auditEventCategory": "ApplicationManagement", + "correlationId": "811fd012-35a6-4a0c-abce-79fb08b9ab6c", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", + "env_cloud_roleInstance": "AM5RRDSR571", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", + "env_cv": "##ad2523c5-ea21-4329-8c31-ccbd1af8c337_00000000-0000-0000-0000-000000000000_ad2523c5-ea21-4329-8c31-ccbd1af8c337", + "env_epoch": "748B6", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", + "env_popSample": "0", + "env_seqNum": "34620418", + "env_time": "2020-02-11T16:45:37.2045249Z", + "env_ver": "2.1", + "extendedAuditEventCategory": "Application", + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"RequiredResourceAccess\"]", + "targetName": "siem2", + "targetObjectId": "33cdc459-1335-4d6c-b773-f5eef4df7793", + "teamName": "MSODS.", + "version": "2" + }, "ModifiedProperties": { "Included_Updated_Properties": { - "OldValue": "", - "NewValue": "RequiredResourceAccess" + "NewValue": "RequiredResourceAccess", + "OldValue": "" }, "RequiredResourceAccess": { - "OldValue": "[\r\n {\r\n \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]", - "NewValue": "[\r\n {\r\n \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n },\r\n {\r\n \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"594c1fb6-4f81-4475-ae41-0c394909246c\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n },\r\n {\r\n \"EntitlementId\": \"4807a72c-ad38-4250-94c9-4eabfe26cd55\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n },\r\n {\r\n \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]" + "NewValue": "[\r\n {\r\n \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n },\r\n {\r\n \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"594c1fb6-4f81-4475-ae41-0c394909246c\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n },\r\n {\r\n \"EntitlementId\": \"4807a72c-ad38-4250-94c9-4eabfe26cd55\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n },\r\n {\r\n \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]", + "OldValue": "[\r\n {\r\n \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]" } }, - "Version": "1", + "ObjectId": "Not Available", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ - { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" - }, - { - "Type": 3, - "ID": "1003200096971F55" - }, + "Target": [ { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "33cdc459-1335-4d6c-b773-f5eef4df7793", + "Type": 2 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "Application", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "siem2", + "Type": 1 } ], - "CreationTime": "2020-02-11T16:45:37", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-11T16:45:37.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:47:58.413652285Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:37\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"811fd012-35a6-4a0c-abce-79fb08b9ab6c\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:37.2045249Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34620418\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##ad2523c5-ea21-4329-8c31-ccbd1af8c337_00000000-0000-0000-0000-000000000000_ad2523c5-ea21-4329-8c31-ccbd1af8c337\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"d23b201c-5436-4ecc-a789-18d3f00ea76c\",\"ModifiedProperties\":[{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"594c1fb6-4f81-4475-ae41-0c394909246c\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Update application.", - "id": "d23b201c-5436-4ecc-a789-18d3f00ea76c", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "Not Available" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-11T16:45:37.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Update application.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "d23b201c-5436-4ecc-a789-18d3f00ea76c", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:37\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"811fd012-35a6-4a0c-abce-79fb08b9ab6c\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:37.2045249Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34620418\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##ad2523c5-ea21-4329-8c31-ccbd1af8c337_00000000-0000-0000-0000-000000000000_ad2523c5-ea21-4329-8c31-ccbd1af8c337\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"d23b201c-5436-4ecc-a789-18d3f00ea76c\",\"ModifiedProperties\":[{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"594c1fb6-4f81-4475-ae41-0c394909246c\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "Not Available", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-11T16:45:37", "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "siem2", - "env_appId": "restdirectoryservice", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-11T16:45:37.2045249Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "33cdc459-1335-4d6c-b773-f5eef4df7793", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "auditEventCategory": "ApplicationManagement", "correlationId": "811fd012-35a6-4a0c-abce-79fb08b9ab6c", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", "env_cloud_roleInstance": "AM5RRDSR571", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", "env_cv": "##ad2523c5-ea21-4329-8c31-ccbd1af8c337_00000000-0000-0000-0000-000000000000_ad2523c5-ea21-4329-8c31-ccbd1af8c337", - "resultType": "Success", - "actorUPN": "asr@testsiem.onmicrosoft.com", - "auditEventCategory": "ApplicationManagement", + "env_epoch": "748B6", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", "env_popSample": "0", "env_seqNum": "34620418", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", + "env_time": "2020-02-11T16:45:37.2045249Z", "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"RequiredResourceAccess\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", "extendedAuditEventCategory": "Application", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "env_epoch": "748B6", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"RequiredResourceAccess\"]", + "targetName": "siem2", + "targetObjectId": "33cdc459-1335-4d6c-b773-f5eef4df7793", + "teamName": "MSODS.", + "version": "2" }, - "Target": [ - { - "Type": 2, - "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793" - }, - { - "Type": 2, - "ID": "33cdc459-1335-4d6c-b773-f5eef4df7793" - }, - { - "Type": 2, - "ID": "Application" - }, - { - "Type": 1, - "ID": "siem2" - } - ], - "RecordType": "8", "ModifiedProperties": { "Included_Updated_Properties": { - "OldValue": "", - "NewValue": "RequiredResourceAccess" + "NewValue": "RequiredResourceAccess", + "OldValue": "" }, "RequiredResourceAccess": { - "OldValue": "[\r\n {\r\n \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]", - "NewValue": "[\r\n {\r\n \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n },\r\n {\r\n \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"594c1fb6-4f81-4475-ae41-0c394909246c\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n },\r\n {\r\n \"EntitlementId\": \"4807a72c-ad38-4250-94c9-4eabfe26cd55\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n },\r\n {\r\n \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]" + "NewValue": "[\r\n {\r\n \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n },\r\n {\r\n \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"594c1fb6-4f81-4475-ae41-0c394909246c\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n },\r\n {\r\n \"EntitlementId\": \"4807a72c-ad38-4250-94c9-4eabfe26cd55\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n },\r\n {\r\n \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]", + "OldValue": "[\r\n {\r\n \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]" } }, - "Version": "1", + "ObjectId": "Not Available", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ - { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" - }, - { - "Type": 3, - "ID": "1003200096971F55" - }, + "Target": [ { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "33cdc459-1335-4d6c-b773-f5eef4df7793", + "Type": 2 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "Application", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "siem2", + "Type": 1 } ], - "CreationTime": "2020-02-11T16:45:37", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-11T16:45:37.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ - "67.43.156.15" - ] - }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", - "ip": "67.43.156.15" - }, - "event": { - "ingested": "2022-01-02T03:47:58.413653173Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:37\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"Application\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"RequiredResourceAccess\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"811fd012-35a6-4a0c-abce-79fb08b9ab6c\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:37.2045249Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34620418\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##ad2523c5-ea21-4329-8c31-ccbd1af8c337_00000000-0000-0000-0000-000000000000_ad2523c5-ea21-4329-8c31-ccbd1af8c337\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"d23b201c-5436-4ecc-a789-18d3f00ea76c\",\"ModifiedProperties\":[{\"Name\":\"RequiredResourceAccess\",\"NewValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n },\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"c5393580-f805-4401-95e8-94b7a6ef2fc2\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"594c1fb6-4f81-4475-ae41-0c394909246c\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"4807a72c-ad38-4250-94c9-4eabfe26cd55\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n },\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e2cea78f-e743-4d8f-a16a-75b629a038ae\\\",\\r\\n \\\"DirectAccessGrant\\\": true,\\r\\n \\\"ImpersonationAccessGrants\\\": []\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\",\"OldValue\":\"[\\r\\n {\\r\\n \\\"ResourceAppId\\\": \\\"00000003-0000-0000-c000-000000000000\\\",\\r\\n \\\"RequiredAppPermissions\\\": [\\r\\n {\\r\\n \\\"EntitlementId\\\": \\\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\\\",\\r\\n \\\"DirectAccessGrant\\\": false,\\r\\n \\\"ImpersonationAccessGrants\\\": [\\r\\n 20\\r\\n ]\\r\\n }\\r\\n ],\\r\\n \\\"EncodingVersion\\\": 1\\r\\n }\\r\\n]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"RequiredResourceAccess\",\"OldValue\":\"\"}],\"ObjectId\":\"Not Available\",\"Operation\":\"Update application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Application_33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"33cdc459-1335-4d6c-b773-f5eef4df7793\",\"Type\":2},{\"ID\":\"Application\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Update application.", - "id": "d23b201c-5436-4ecc-a789-18d3f00ea76c", - "type": [ - "info" - ], - "category": [ - "web" + "67.43.156.15" ], - "outcome": "success" + "user": [ + "asr" + ] }, + "source": { + "ip": "67.43.156.15" + }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "Not Available" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-11T16:45:37.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Update service principal.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "99a3d3e3-e4f6-4de7-96e0-6333564e1b25", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:37\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"811fd012-35a6-4a0c-abce-79fb08b9ab6c\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:37.2595378Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34620448\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##ad2523c5-ea21-4329-8c31-ccbd1af8c337_00000000-0000-0000-0000-000000000000_ad2523c5-ea21-4329-8c31-ccbd1af8c337\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"99a3d3e3-e4f6-4de7-96e0-6333564e1b25\",\"ModifiedProperties\":[{\"Name\":\"Included Updated Properties\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Update service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "67.43.156.15", - "ExtendedProperties": { - "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "siem2", - "env_appId": "restdirectoryservice", - "targetSPN": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", - "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-11T16:45:37.2595378Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "fb91e9f0-9485-4a68-89e9-a164d20ae855", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", - "correlationId": "811fd012-35a6-4a0c-abce-79fb08b9ab6c", - "env_cloud_roleInstance": "AM5RRDSR571", - "env_cv": "##ad2523c5-ea21-4329-8c31-ccbd1af8c337_00000000-0000-0000-0000-000000000000_ad2523c5-ea21-4329-8c31-ccbd1af8c337", - "resultType": "Success", - "auditEventCategory": "ApplicationManagement", - "actorUPN": "asr@testsiem.onmicrosoft.com", - "env_popSample": "0", - "env_seqNum": "34620448", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", - "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"TargetId.ServicePrincipalNames\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "extendedAuditEventCategory": "ServicePrincipal", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "env_epoch": "748B6", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" - }, - "Target": [ + "Actor": [ { - "Type": 2, - "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855" + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 }, { - "Type": 2, - "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855" + "ID": "1003200096971F55", + "Type": 3 }, { - "Type": 2, - "ID": "ServicePrincipal" + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "Type": 1, - "ID": "siem2" + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 2, - "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40" + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 4, - "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40" + "ID": "User", + "Type": 2 } ], - "RecordType": "8", + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-11T16:45:37", + "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "actorObjectClass": "User", + "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "auditEventCategory": "ApplicationManagement", + "correlationId": "811fd012-35a6-4a0c-abce-79fb08b9ab6c", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", + "env_cloud_roleInstance": "AM5RRDSR571", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", + "env_cv": "##ad2523c5-ea21-4329-8c31-ccbd1af8c337_00000000-0000-0000-0000-000000000000_ad2523c5-ea21-4329-8c31-ccbd1af8c337", + "env_epoch": "748B6", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", + "env_popSample": "0", + "env_seqNum": "34620448", + "env_time": "2020-02-11T16:45:37.2595378Z", + "env_ver": "2.1", + "extendedAuditEventCategory": "ServicePrincipal", + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"TargetId.ServicePrincipalNames\"]", + "targetName": "siem2", + "targetObjectId": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "targetSPN": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "teamName": "MSODS.", + "version": "2" + }, "ModifiedProperties": { "Included_Updated_Properties": { - "OldValue": "", - "NewValue": "" + "NewValue": "", + "OldValue": "" }, "TargetId_ServicePrincipalNames": { - "OldValue": "", - "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40" + "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "OldValue": "" } }, - "Version": "1", + "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ + "Target": [ { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" + "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855", + "Type": 2 }, { - "Type": 3, - "ID": "1003200096971F55" + "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "Type": 2 }, { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "ServicePrincipal", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "siem2", + "Type": 1 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "Type": 4 } ], - "CreationTime": "2020-02-11T16:45:37", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-11T16:45:37.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:47:58.413654016Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:37\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"811fd012-35a6-4a0c-abce-79fb08b9ab6c\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:37.2595378Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34620448\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##ad2523c5-ea21-4329-8c31-ccbd1af8c337_00000000-0000-0000-0000-000000000000_ad2523c5-ea21-4329-8c31-ccbd1af8c337\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"99a3d3e3-e4f6-4de7-96e0-6333564e1b25\",\"ModifiedProperties\":[{\"Name\":\"Included Updated Properties\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Update service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Update service principal.", - "id": "99a3d3e3-e4f6-4de7-96e0-6333564e1b25", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-11T16:45:37.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Update service principal.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "99a3d3e3-e4f6-4de7-96e0-6333564e1b25", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:37\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"811fd012-35a6-4a0c-abce-79fb08b9ab6c\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:37.2595378Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34620448\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##ad2523c5-ea21-4329-8c31-ccbd1af8c337_00000000-0000-0000-0000-000000000000_ad2523c5-ea21-4329-8c31-ccbd1af8c337\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"99a3d3e3-e4f6-4de7-96e0-6333564e1b25\",\"ModifiedProperties\":[{\"Name\":\"Included Updated Properties\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Update service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "67.43.156.15", - "ExtendedProperties": { - "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "siem2", - "env_appId": "restdirectoryservice", - "targetSPN": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", - "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-11T16:45:37.2595378Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "fb91e9f0-9485-4a68-89e9-a164d20ae855", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", - "correlationId": "811fd012-35a6-4a0c-abce-79fb08b9ab6c", - "env_cloud_roleInstance": "AM5RRDSR571", - "env_cv": "##ad2523c5-ea21-4329-8c31-ccbd1af8c337_00000000-0000-0000-0000-000000000000_ad2523c5-ea21-4329-8c31-ccbd1af8c337", - "resultType": "Success", - "auditEventCategory": "ApplicationManagement", - "actorUPN": "asr@testsiem.onmicrosoft.com", - "env_popSample": "0", - "env_seqNum": "34620448", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", - "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"TargetId.ServicePrincipalNames\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "extendedAuditEventCategory": "ServicePrincipal", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "env_epoch": "748B6", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" - }, - "Target": [ + "Actor": [ { - "Type": 2, - "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855" + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 }, { - "Type": 2, - "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855" + "ID": "1003200096971F55", + "Type": 3 }, { - "Type": 2, - "ID": "ServicePrincipal" + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "Type": 1, - "ID": "siem2" + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 2, - "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40" + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 4, - "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40" + "ID": "User", + "Type": 2 } ], - "RecordType": "8", + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-11T16:45:37", + "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "actorObjectClass": "User", + "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "auditEventCategory": "ApplicationManagement", + "correlationId": "811fd012-35a6-4a0c-abce-79fb08b9ab6c", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", + "env_cloud_roleInstance": "AM5RRDSR571", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", + "env_cv": "##ad2523c5-ea21-4329-8c31-ccbd1af8c337_00000000-0000-0000-0000-000000000000_ad2523c5-ea21-4329-8c31-ccbd1af8c337", + "env_epoch": "748B6", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", + "env_popSample": "0", + "env_seqNum": "34620448", + "env_time": "2020-02-11T16:45:37.2595378Z", + "env_ver": "2.1", + "extendedAuditEventCategory": "ServicePrincipal", + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"TargetId.ServicePrincipalNames\"]", + "targetName": "siem2", + "targetObjectId": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "targetSPN": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "teamName": "MSODS.", + "version": "2" + }, "ModifiedProperties": { "Included_Updated_Properties": { - "OldValue": "", - "NewValue": "" + "NewValue": "", + "OldValue": "" }, "TargetId_ServicePrincipalNames": { - "OldValue": "", - "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40" + "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "OldValue": "" } }, - "Version": "1", + "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ + "Target": [ { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" + "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855", + "Type": 2 }, { - "Type": 3, - "ID": "1003200096971F55" + "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "Type": 2 }, { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "ServicePrincipal", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "siem2", + "Type": 1 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "Type": 4 } ], - "CreationTime": "2020-02-11T16:45:37", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-11T16:45:37.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:47:58.413655208Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:37\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"811fd012-35a6-4a0c-abce-79fb08b9ab6c\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:37.2595378Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34620448\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##ad2523c5-ea21-4329-8c31-ccbd1af8c337_00000000-0000-0000-0000-000000000000_ad2523c5-ea21-4329-8c31-ccbd1af8c337\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"99a3d3e3-e4f6-4de7-96e0-6333564e1b25\",\"ModifiedProperties\":[{\"Name\":\"Included Updated Properties\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Update service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Update service principal.", - "id": "99a3d3e3-e4f6-4de7-96e0-6333564e1b25", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-11T16:45:37.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Update service principal.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "99a3d3e3-e4f6-4de7-96e0-6333564e1b25", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:37\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"811fd012-35a6-4a0c-abce-79fb08b9ab6c\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:37.2595378Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34620448\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##ad2523c5-ea21-4329-8c31-ccbd1af8c337_00000000-0000-0000-0000-000000000000_ad2523c5-ea21-4329-8c31-ccbd1af8c337\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"99a3d3e3-e4f6-4de7-96e0-6333564e1b25\",\"ModifiedProperties\":[{\"Name\":\"Included Updated Properties\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Update service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "67.43.156.15", - "ExtendedProperties": { - "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "siem2", - "env_appId": "restdirectoryservice", - "targetSPN": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", - "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-11T16:45:37.2595378Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "fb91e9f0-9485-4a68-89e9-a164d20ae855", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", - "correlationId": "811fd012-35a6-4a0c-abce-79fb08b9ab6c", - "env_cloud_roleInstance": "AM5RRDSR571", - "env_cv": "##ad2523c5-ea21-4329-8c31-ccbd1af8c337_00000000-0000-0000-0000-000000000000_ad2523c5-ea21-4329-8c31-ccbd1af8c337", - "resultType": "Success", - "auditEventCategory": "ApplicationManagement", - "actorUPN": "asr@testsiem.onmicrosoft.com", - "env_popSample": "0", - "env_seqNum": "34620448", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", - "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"TargetId.ServicePrincipalNames\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "extendedAuditEventCategory": "ServicePrincipal", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "env_epoch": "748B6", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" - }, - "Target": [ + "Actor": [ { - "Type": 2, - "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855" + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 }, { - "Type": 2, - "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855" + "ID": "1003200096971F55", + "Type": 3 }, { - "Type": 2, - "ID": "ServicePrincipal" + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "Type": 1, - "ID": "siem2" + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 2, - "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40" + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 4, - "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40" + "ID": "User", + "Type": 2 } ], - "RecordType": "8", + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-11T16:45:37", + "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "actorObjectClass": "User", + "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "auditEventCategory": "ApplicationManagement", + "correlationId": "811fd012-35a6-4a0c-abce-79fb08b9ab6c", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", + "env_cloud_roleInstance": "AM5RRDSR571", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", + "env_cv": "##ad2523c5-ea21-4329-8c31-ccbd1af8c337_00000000-0000-0000-0000-000000000000_ad2523c5-ea21-4329-8c31-ccbd1af8c337", + "env_epoch": "748B6", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", + "env_popSample": "0", + "env_seqNum": "34620448", + "env_time": "2020-02-11T16:45:37.2595378Z", + "env_ver": "2.1", + "extendedAuditEventCategory": "ServicePrincipal", + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"TargetId.ServicePrincipalNames\"]", + "targetName": "siem2", + "targetObjectId": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "targetSPN": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "teamName": "MSODS.", + "version": "2" + }, "ModifiedProperties": { "Included_Updated_Properties": { - "OldValue": "", - "NewValue": "" + "NewValue": "", + "OldValue": "" }, "TargetId_ServicePrincipalNames": { - "OldValue": "", - "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40" + "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "OldValue": "" } }, - "Version": "1", + "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ + "Target": [ { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" + "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855", + "Type": 2 }, { - "Type": 3, - "ID": "1003200096971F55" + "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "Type": 2 }, { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "ServicePrincipal", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "siem2", + "Type": 1 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "Type": 4 } ], - "CreationTime": "2020-02-11T16:45:37", - "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - } - }, - "@timestamp": "2020-02-11T16:45:37.000Z", - "ecs": { - "version": "8.0.0" - }, - "related": { - "user": [ - "asr" - ], - "ip": [ - "67.43.156.15" - ] - }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", - "ip": "67.43.156.15" - }, - "event": { - "ingested": "2022-01-02T03:47:58.413656065Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:37\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"811fd012-35a6-4a0c-abce-79fb08b9ab6c\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:37.2595378Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34620448\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##ad2523c5-ea21-4329-8c31-ccbd1af8c337_00000000-0000-0000-0000-000000000000_ad2523c5-ea21-4329-8c31-ccbd1af8c337\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"99a3d3e3-e4f6-4de7-96e0-6333564e1b25\",\"ModifiedProperties\":[{\"Name\":\"Included Updated Properties\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Update service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Update service principal.", - "id": "99a3d3e3-e4f6-4de7-96e0-6333564e1b25", - "type": [ - "info" - ], - "category": [ - "web" + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "UserType": "0", + "Version": "1" + } + }, + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, + "related": { + "ip": [ + "67.43.156.15" ], - "outcome": "success" + "user": [ + "asr" + ] + }, + "source": { + "ip": "67.43.156.15" }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-11T16:45:41.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Add app role assignment to service principal.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "256e3859-87ca-4b23-b2c0-45a26ccd7925", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:41\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":\\\"siem2\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\",\\\"Name\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:41.8071361Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622707\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"256e3859-87ca-4b23-b2c0-45a26ccd7925\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem2\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "67.43.156.15", - "ExtendedProperties": { - "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "Office 365 Management APIs", - "env_appId": "restdirectoryservice", - "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", - "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-11T16:45:41.8071361Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", - "correlationId": "1e80f57e-764e-4c42-bead-7ccf998fe780", - "env_cloud_roleInstance": "AM5RRDSR571", - "env_cv": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e", - "resultType": "Success", - "auditEventCategory": "ApplicationManagement", - "actorUPN": "asr@testsiem.onmicrosoft.com", - "env_popSample": "0", - "env_seqNum": "34622707", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", - "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "extendedAuditEventCategory": "ServicePrincipal", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "additionalTargets": "[{\"ObjectID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"DisplayName\":\"siem2\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Name\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}]", - "env_epoch": "748B6", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" - }, - "Target": [ + "Actor": [ { - "Type": 2, - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad" + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 }, { - "Type": 2, - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad" + "ID": "1003200096971F55", + "Type": 3 }, { - "Type": 2, - "ID": "ServicePrincipal" + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "Type": 1, - "ID": "Office 365 Management APIs" + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 2, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2" + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 4, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" + "ID": "User", + "Type": 2 } ], - "RecordType": "8", + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-11T16:45:41", + "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "actorObjectClass": "User", + "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "additionalTargets": "[{\"ObjectID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"DisplayName\":\"siem2\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Name\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}]", + "auditEventCategory": "ApplicationManagement", + "correlationId": "1e80f57e-764e-4c42-bead-7ccf998fe780", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", + "env_cloud_roleInstance": "AM5RRDSR571", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", + "env_cv": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e", + "env_epoch": "748B6", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", + "env_popSample": "0", + "env_seqNum": "34622707", + "env_time": "2020-02-11T16:45:41.8071361Z", + "env_ver": "2.1", + "extendedAuditEventCategory": "ServicePrincipal", + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "targetName": "Office 365 Management APIs", + "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "teamName": "MSODS.", + "version": "2" + }, "ModifiedProperties": { - "ServicePrincipal_Name": { - "OldValue": "", - "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40" - }, - "TargetId_ServicePrincipalNames": { - "OldValue": "", - "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" + "ServicePrincipal_AppId": { + "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "OldValue": "" }, "ServicePrincipal_DisplayName": { - "OldValue": "", - "NewValue": "siem2" + "NewValue": "siem2", + "OldValue": "" }, - "ServicePrincipal_AppId": { - "OldValue": "", - "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40" + "ServicePrincipal_Name": { + "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "OldValue": "" }, "ServicePrincipal_ObjectID": { - "OldValue": "", - "NewValue": "fb91e9f0-9485-4a68-89e9-a164d20ae855" + "NewValue": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "OldValue": "" + }, + "TargetId_ServicePrincipalNames": { + "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "OldValue": "" } }, - "Version": "1", + "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ + "Target": [ { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 3, - "ID": "1003200096971F55" + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "ServicePrincipal", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 } ], - "CreationTime": "2020-02-11T16:45:41", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-11T16:45:41.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" - ] - }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", - "ip": "67.43.156.15" - }, - "event": { - "ingested": "2022-01-02T03:47:58.413656969Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:41\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":\\\"siem2\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\",\\\"Name\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:41.8071361Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622707\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"256e3859-87ca-4b23-b2c0-45a26ccd7925\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem2\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Add app role assignment to service principal.", - "id": "256e3859-87ca-4b23-b2c0-45a26ccd7925", - "type": [ - "info" - ], - "category": [ - "web" ], - "outcome": "success" + "user": [ + "asr" + ] }, - "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com", - "target": { - "id": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" - } - } - }, - { "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, "ip": "67.43.156.15" }, "tags": [ "preserve_original_event" - ], - "network": { - "type": "ipv4" - }, - "o365": { - "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "67.43.156.15", - "ExtendedProperties": { - "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "Office 365 Management APIs", - "env_appId": "restdirectoryservice", - "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", - "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-11T16:45:41.8821342Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", - "correlationId": "1e80f57e-764e-4c42-bead-7ccf998fe780", - "env_cloud_roleInstance": "AM5RRDSR571", - "env_cv": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e", - "resultType": "Success", - "auditEventCategory": "ApplicationManagement", - "actorUPN": "asr@testsiem.onmicrosoft.com", - "env_popSample": "0", - "env_seqNum": "34622751", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", - "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "extendedAuditEventCategory": "ServicePrincipal", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "additionalTargets": "[{\"ObjectID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"DisplayName\":\"siem2\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Name\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}]", - "env_epoch": "748B6", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" - }, - "Target": [ + ], + "user": { + "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", + "target": { + "id": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" + } + } + }, + { + "@timestamp": "2020-02-11T16:45:41.000Z", + "client": { + "address": "67.43.156.15", + "ip": "67.43.156.15" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Add app role assignment to service principal.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "411fc666-cabf-4cb0-b8a3-e5a2cc515b79", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:41\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":\\\"siem2\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\",\\\"Name\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:41.8821342Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622751\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"411fc666-cabf-4cb0-b8a3-e5a2cc515b79\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem2\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, + "network": { + "type": "ipv4" + }, + "o365": { + "audit": { + "Actor": [ { - "Type": 2, - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad" + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 }, { - "Type": 2, - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad" + "ID": "1003200096971F55", + "Type": 3 }, { - "Type": 2, - "ID": "ServicePrincipal" + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "Type": 1, - "ID": "Office 365 Management APIs" + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 2, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2" + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 4, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" + "ID": "User", + "Type": 2 } ], - "RecordType": "8", + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-11T16:45:41", + "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "actorObjectClass": "User", + "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "additionalTargets": "[{\"ObjectID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"DisplayName\":\"siem2\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Name\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}]", + "auditEventCategory": "ApplicationManagement", + "correlationId": "1e80f57e-764e-4c42-bead-7ccf998fe780", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", + "env_cloud_roleInstance": "AM5RRDSR571", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", + "env_cv": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e", + "env_epoch": "748B6", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", + "env_popSample": "0", + "env_seqNum": "34622751", + "env_time": "2020-02-11T16:45:41.8821342Z", + "env_ver": "2.1", + "extendedAuditEventCategory": "ServicePrincipal", + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "targetName": "Office 365 Management APIs", + "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "teamName": "MSODS.", + "version": "2" + }, "ModifiedProperties": { - "ServicePrincipal_Name": { - "OldValue": "", - "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40" - }, - "TargetId_ServicePrincipalNames": { - "OldValue": "", - "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" + "ServicePrincipal_AppId": { + "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "OldValue": "" }, "ServicePrincipal_DisplayName": { - "OldValue": "", - "NewValue": "siem2" + "NewValue": "siem2", + "OldValue": "" }, - "ServicePrincipal_AppId": { - "OldValue": "", - "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40" + "ServicePrincipal_Name": { + "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "OldValue": "" }, "ServicePrincipal_ObjectID": { - "OldValue": "", - "NewValue": "fb91e9f0-9485-4a68-89e9-a164d20ae855" + "NewValue": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "OldValue": "" + }, + "TargetId_ServicePrincipalNames": { + "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "OldValue": "" } }, - "Version": "1", + "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ + "Target": [ { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 3, - "ID": "1003200096971F55" + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "ServicePrincipal", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 } ], - "CreationTime": "2020-02-11T16:45:41", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-11T16:45:41.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:47:58.413657884Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:41\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":\\\"siem2\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\",\\\"Name\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:41.8821342Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622751\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"411fc666-cabf-4cb0-b8a3-e5a2cc515b79\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem2\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Add app role assignment to service principal.", - "id": "411fc666-cabf-4cb0-b8a3-e5a2cc515b79", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-11T16:45:41.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Add app role assignment to service principal.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "a4a12952-3467-4d48-9950-48b4b9ac87b3", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:41\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":\\\"siem2\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\",\\\"Name\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:41.9571526Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622781\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"a4a12952-3467-4d48-9950-48b4b9ac87b3\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem2\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "67.43.156.15", - "ExtendedProperties": { - "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "Office 365 Management APIs", - "env_appId": "restdirectoryservice", - "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", - "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-11T16:45:41.9571526Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", - "correlationId": "1e80f57e-764e-4c42-bead-7ccf998fe780", - "env_cloud_roleInstance": "AM5RRDSR571", - "env_cv": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e", - "resultType": "Success", - "auditEventCategory": "ApplicationManagement", - "actorUPN": "asr@testsiem.onmicrosoft.com", - "env_popSample": "0", - "env_seqNum": "34622781", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", - "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "extendedAuditEventCategory": "ServicePrincipal", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "additionalTargets": "[{\"ObjectID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"DisplayName\":\"siem2\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Name\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}]", - "env_epoch": "748B6", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" - }, - "Target": [ + "Actor": [ { - "Type": 2, - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad" + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 }, { - "Type": 2, - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad" + "ID": "1003200096971F55", + "Type": 3 }, { - "Type": 2, - "ID": "ServicePrincipal" + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "Type": 1, - "ID": "Office 365 Management APIs" + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 2, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2" + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 4, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" + "ID": "User", + "Type": 2 } ], - "RecordType": "8", + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-11T16:45:41", + "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "actorObjectClass": "User", + "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "additionalTargets": "[{\"ObjectID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"DisplayName\":\"siem2\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Name\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}]", + "auditEventCategory": "ApplicationManagement", + "correlationId": "1e80f57e-764e-4c42-bead-7ccf998fe780", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", + "env_cloud_roleInstance": "AM5RRDSR571", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", + "env_cv": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e", + "env_epoch": "748B6", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", + "env_popSample": "0", + "env_seqNum": "34622781", + "env_time": "2020-02-11T16:45:41.9571526Z", + "env_ver": "2.1", + "extendedAuditEventCategory": "ServicePrincipal", + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "targetName": "Office 365 Management APIs", + "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "teamName": "MSODS.", + "version": "2" + }, "ModifiedProperties": { - "ServicePrincipal_Name": { - "OldValue": "", - "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40" - }, - "TargetId_ServicePrincipalNames": { - "OldValue": "", - "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" + "ServicePrincipal_AppId": { + "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "OldValue": "" }, "ServicePrincipal_DisplayName": { - "OldValue": "", - "NewValue": "siem2" + "NewValue": "siem2", + "OldValue": "" }, - "ServicePrincipal_AppId": { - "OldValue": "", - "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40" + "ServicePrincipal_Name": { + "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "OldValue": "" }, "ServicePrincipal_ObjectID": { - "OldValue": "", - "NewValue": "fb91e9f0-9485-4a68-89e9-a164d20ae855" + "NewValue": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "OldValue": "" + }, + "TargetId_ServicePrincipalNames": { + "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "OldValue": "" } }, - "Version": "1", + "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ + "Target": [ { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 3, - "ID": "1003200096971F55" + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "ServicePrincipal", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 } ], - "CreationTime": "2020-02-11T16:45:41", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-11T16:45:41.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:47:58.413658769Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:41\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":\\\"siem2\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\",\\\"Name\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:41.9571526Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622781\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"a4a12952-3467-4d48-9950-48b4b9ac87b3\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem2\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Add app role assignment to service principal.", - "id": "a4a12952-3467-4d48-9950-48b4b9ac87b3", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-11T16:45:41.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Add app role assignment to service principal.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "411fc666-cabf-4cb0-b8a3-e5a2cc515b79", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:41\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":\\\"siem2\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\",\\\"Name\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:41.8821342Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622751\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"411fc666-cabf-4cb0-b8a3-e5a2cc515b79\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem2\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "67.43.156.15", - "ExtendedProperties": { - "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "Office 365 Management APIs", - "env_appId": "restdirectoryservice", - "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", - "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-11T16:45:41.8821342Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", - "correlationId": "1e80f57e-764e-4c42-bead-7ccf998fe780", - "env_cloud_roleInstance": "AM5RRDSR571", - "env_cv": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e", - "resultType": "Success", - "auditEventCategory": "ApplicationManagement", - "actorUPN": "asr@testsiem.onmicrosoft.com", - "env_popSample": "0", - "env_seqNum": "34622751", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", - "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "extendedAuditEventCategory": "ServicePrincipal", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "additionalTargets": "[{\"ObjectID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"DisplayName\":\"siem2\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Name\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}]", - "env_epoch": "748B6", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" - }, - "Target": [ + "Actor": [ { - "Type": 2, - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad" + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 }, { - "Type": 2, - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad" + "ID": "1003200096971F55", + "Type": 3 }, { - "Type": 2, - "ID": "ServicePrincipal" + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "Type": 1, - "ID": "Office 365 Management APIs" + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 2, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2" + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 4, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" + "ID": "User", + "Type": 2 } ], - "RecordType": "8", + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-11T16:45:41", + "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "actorObjectClass": "User", + "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "additionalTargets": "[{\"ObjectID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"DisplayName\":\"siem2\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Name\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}]", + "auditEventCategory": "ApplicationManagement", + "correlationId": "1e80f57e-764e-4c42-bead-7ccf998fe780", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", + "env_cloud_roleInstance": "AM5RRDSR571", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", + "env_cv": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e", + "env_epoch": "748B6", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", + "env_popSample": "0", + "env_seqNum": "34622751", + "env_time": "2020-02-11T16:45:41.8821342Z", + "env_ver": "2.1", + "extendedAuditEventCategory": "ServicePrincipal", + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "targetName": "Office 365 Management APIs", + "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "teamName": "MSODS.", + "version": "2" + }, "ModifiedProperties": { - "ServicePrincipal_Name": { - "OldValue": "", - "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40" - }, - "TargetId_ServicePrincipalNames": { - "OldValue": "", - "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" + "ServicePrincipal_AppId": { + "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "OldValue": "" }, "ServicePrincipal_DisplayName": { - "OldValue": "", - "NewValue": "siem2" + "NewValue": "siem2", + "OldValue": "" }, - "ServicePrincipal_AppId": { - "OldValue": "", - "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40" + "ServicePrincipal_Name": { + "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "OldValue": "" }, "ServicePrincipal_ObjectID": { - "OldValue": "", - "NewValue": "fb91e9f0-9485-4a68-89e9-a164d20ae855" + "NewValue": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "OldValue": "" + }, + "TargetId_ServicePrincipalNames": { + "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "OldValue": "" } }, - "Version": "1", + "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ + "Target": [ { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 3, - "ID": "1003200096971F55" + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "ServicePrincipal", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 } ], - "CreationTime": "2020-02-11T16:45:41", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-11T16:45:41.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:47:58.413659703Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:41\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":\\\"siem2\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\",\\\"Name\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:41.8821342Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622751\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"411fc666-cabf-4cb0-b8a3-e5a2cc515b79\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem2\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Add app role assignment to service principal.", - "id": "411fc666-cabf-4cb0-b8a3-e5a2cc515b79", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-11T16:45:41.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Add app role assignment to service principal.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "a4a12952-3467-4d48-9950-48b4b9ac87b3", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:41\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":\\\"siem2\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\",\\\"Name\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:41.9571526Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622781\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"a4a12952-3467-4d48-9950-48b4b9ac87b3\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem2\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "67.43.156.15", - "ExtendedProperties": { - "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "Office 365 Management APIs", - "env_appId": "restdirectoryservice", - "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", - "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-11T16:45:41.9571526Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", - "correlationId": "1e80f57e-764e-4c42-bead-7ccf998fe780", - "env_cloud_roleInstance": "AM5RRDSR571", - "env_cv": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e", - "resultType": "Success", - "auditEventCategory": "ApplicationManagement", - "actorUPN": "asr@testsiem.onmicrosoft.com", - "env_popSample": "0", - "env_seqNum": "34622781", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", - "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "extendedAuditEventCategory": "ServicePrincipal", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "additionalTargets": "[{\"ObjectID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"DisplayName\":\"siem2\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Name\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}]", - "env_epoch": "748B6", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" - }, - "Target": [ + "Actor": [ { - "Type": 2, - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad" + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 }, { - "Type": 2, - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad" + "ID": "1003200096971F55", + "Type": 3 }, { - "Type": 2, - "ID": "ServicePrincipal" + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "Type": 1, - "ID": "Office 365 Management APIs" + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 2, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2" + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 4, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" + "ID": "User", + "Type": 2 } ], - "RecordType": "8", + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-11T16:45:41", + "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "actorObjectClass": "User", + "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "additionalTargets": "[{\"ObjectID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"DisplayName\":\"siem2\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Name\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}]", + "auditEventCategory": "ApplicationManagement", + "correlationId": "1e80f57e-764e-4c42-bead-7ccf998fe780", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", + "env_cloud_roleInstance": "AM5RRDSR571", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", + "env_cv": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e", + "env_epoch": "748B6", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", + "env_popSample": "0", + "env_seqNum": "34622781", + "env_time": "2020-02-11T16:45:41.9571526Z", + "env_ver": "2.1", + "extendedAuditEventCategory": "ServicePrincipal", + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "targetName": "Office 365 Management APIs", + "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "teamName": "MSODS.", + "version": "2" + }, "ModifiedProperties": { - "ServicePrincipal_Name": { - "OldValue": "", - "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40" - }, - "TargetId_ServicePrincipalNames": { - "OldValue": "", - "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" + "ServicePrincipal_AppId": { + "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "OldValue": "" }, "ServicePrincipal_DisplayName": { - "OldValue": "", - "NewValue": "siem2" + "NewValue": "siem2", + "OldValue": "" }, - "ServicePrincipal_AppId": { - "OldValue": "", - "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40" + "ServicePrincipal_Name": { + "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "OldValue": "" }, "ServicePrincipal_ObjectID": { - "OldValue": "", - "NewValue": "fb91e9f0-9485-4a68-89e9-a164d20ae855" + "NewValue": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "OldValue": "" + }, + "TargetId_ServicePrincipalNames": { + "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "OldValue": "" } }, - "Version": "1", + "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ + "Target": [ { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 3, - "ID": "1003200096971F55" + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "ServicePrincipal", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 } ], - "CreationTime": "2020-02-11T16:45:41", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-11T16:45:41.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:47:58.413660556Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:41\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":\\\"siem2\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\",\\\"Name\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:41.9571526Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622781\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"a4a12952-3467-4d48-9950-48b4b9ac87b3\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem2\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Add app role assignment to service principal.", - "id": "a4a12952-3467-4d48-9950-48b4b9ac87b3", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-11T16:45:41.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Add app role assignment to service principal.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "411fc666-cabf-4cb0-b8a3-e5a2cc515b79", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:41\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":\\\"siem2\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\",\\\"Name\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:41.8821342Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622751\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"411fc666-cabf-4cb0-b8a3-e5a2cc515b79\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem2\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-11T16:45:41", "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "Office 365 Management APIs", - "env_appId": "restdirectoryservice", - "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-11T16:45:41.8821342Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "additionalTargets": "[{\"ObjectID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"DisplayName\":\"siem2\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Name\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}]", + "auditEventCategory": "ApplicationManagement", "correlationId": "1e80f57e-764e-4c42-bead-7ccf998fe780", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", "env_cloud_roleInstance": "AM5RRDSR571", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", "env_cv": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e", - "resultType": "Success", - "auditEventCategory": "ApplicationManagement", - "actorUPN": "asr@testsiem.onmicrosoft.com", + "env_epoch": "748B6", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", "env_popSample": "0", "env_seqNum": "34622751", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", + "env_time": "2020-02-11T16:45:41.8821342Z", "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", "extendedAuditEventCategory": "ServicePrincipal", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "additionalTargets": "[{\"ObjectID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"DisplayName\":\"siem2\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Name\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}]", - "env_epoch": "748B6", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "targetName": "Office 365 Management APIs", + "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "teamName": "MSODS.", + "version": "2" }, - "Target": [ - { - "Type": 2, - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad" - }, - { - "Type": 2, - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad" - }, - { - "Type": 2, - "ID": "ServicePrincipal" - }, - { - "Type": 1, - "ID": "Office 365 Management APIs" - }, - { - "Type": 2, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2" - }, - { - "Type": 4, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" - } - ], - "RecordType": "8", "ModifiedProperties": { - "ServicePrincipal_Name": { - "OldValue": "", - "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40" - }, - "TargetId_ServicePrincipalNames": { - "OldValue": "", - "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" + "ServicePrincipal_AppId": { + "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "OldValue": "" }, "ServicePrincipal_DisplayName": { - "OldValue": "", - "NewValue": "siem2" + "NewValue": "siem2", + "OldValue": "" }, - "ServicePrincipal_AppId": { - "OldValue": "", - "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40" + "ServicePrincipal_Name": { + "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "OldValue": "" }, "ServicePrincipal_ObjectID": { - "OldValue": "", - "NewValue": "fb91e9f0-9485-4a68-89e9-a164d20ae855" + "NewValue": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "OldValue": "" + }, + "TargetId_ServicePrincipalNames": { + "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "OldValue": "" } }, - "Version": "1", + "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ + "Target": [ { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 3, - "ID": "1003200096971F55" + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "ServicePrincipal", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 } ], - "CreationTime": "2020-02-11T16:45:41", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-11T16:45:41.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:47:58.413661406Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:41\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":\\\"siem2\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\",\\\"Name\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:41.8821342Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622751\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"411fc666-cabf-4cb0-b8a3-e5a2cc515b79\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem2\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Add app role assignment to service principal.", - "id": "411fc666-cabf-4cb0-b8a3-e5a2cc515b79", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-11T16:45:41.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Add app role assignment to service principal.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "256e3859-87ca-4b23-b2c0-45a26ccd7925", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:41\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":\\\"siem2\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\",\\\"Name\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:41.8071361Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622707\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"256e3859-87ca-4b23-b2c0-45a26ccd7925\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem2\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "67.43.156.15", - "ExtendedProperties": { - "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "Office 365 Management APIs", - "env_appId": "restdirectoryservice", - "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", - "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-11T16:45:41.8071361Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", - "correlationId": "1e80f57e-764e-4c42-bead-7ccf998fe780", - "env_cloud_roleInstance": "AM5RRDSR571", - "env_cv": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e", - "resultType": "Success", - "auditEventCategory": "ApplicationManagement", - "actorUPN": "asr@testsiem.onmicrosoft.com", - "env_popSample": "0", - "env_seqNum": "34622707", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", - "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "extendedAuditEventCategory": "ServicePrincipal", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "additionalTargets": "[{\"ObjectID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"DisplayName\":\"siem2\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Name\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}]", - "env_epoch": "748B6", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" - }, - "Target": [ + "Actor": [ { - "Type": 2, - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad" + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 }, { - "Type": 2, - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad" + "ID": "1003200096971F55", + "Type": 3 }, { - "Type": 2, - "ID": "ServicePrincipal" + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "Type": 1, - "ID": "Office 365 Management APIs" + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 2, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2" + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 4, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" + "ID": "User", + "Type": 2 } ], - "RecordType": "8", + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-11T16:45:41", + "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "actorObjectClass": "User", + "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "additionalTargets": "[{\"ObjectID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"DisplayName\":\"siem2\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Name\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}]", + "auditEventCategory": "ApplicationManagement", + "correlationId": "1e80f57e-764e-4c42-bead-7ccf998fe780", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", + "env_cloud_roleInstance": "AM5RRDSR571", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", + "env_cv": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e", + "env_epoch": "748B6", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", + "env_popSample": "0", + "env_seqNum": "34622707", + "env_time": "2020-02-11T16:45:41.8071361Z", + "env_ver": "2.1", + "extendedAuditEventCategory": "ServicePrincipal", + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "targetName": "Office 365 Management APIs", + "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "teamName": "MSODS.", + "version": "2" + }, "ModifiedProperties": { - "ServicePrincipal_Name": { - "OldValue": "", - "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40" - }, - "TargetId_ServicePrincipalNames": { - "OldValue": "", - "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" + "ServicePrincipal_AppId": { + "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "OldValue": "" }, "ServicePrincipal_DisplayName": { - "OldValue": "", - "NewValue": "siem2" + "NewValue": "siem2", + "OldValue": "" }, - "ServicePrincipal_AppId": { - "OldValue": "", - "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40" + "ServicePrincipal_Name": { + "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "OldValue": "" }, "ServicePrincipal_ObjectID": { - "OldValue": "", - "NewValue": "fb91e9f0-9485-4a68-89e9-a164d20ae855" + "NewValue": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "OldValue": "" + }, + "TargetId_ServicePrincipalNames": { + "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "OldValue": "" } }, - "Version": "1", + "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ + "Target": [ { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 3, - "ID": "1003200096971F55" + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "ServicePrincipal", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 } ], - "CreationTime": "2020-02-11T16:45:41", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-11T16:45:41.000Z", - "ecs": { - "version": "8.0.0" - }, - "related": { - "user": [ - "asr" - ], - "ip": [ - "67.43.156.15" - ] - }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", - "ip": "67.43.156.15" - }, - "event": { - "ingested": "2022-01-02T03:47:58.413662311Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:41\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":\\\"siem2\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\",\\\"Name\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:41.8071361Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622707\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"256e3859-87ca-4b23-b2c0-45a26ccd7925\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem2\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Add app role assignment to service principal.", - "id": "256e3859-87ca-4b23-b2c0-45a26ccd7925", - "type": [ - "info" - ], - "category": [ - "web" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, + "related": { + "ip": [ + "67.43.156.15" ], - "outcome": "success" + "user": [ + "asr" + ] }, + "source": { + "ip": "67.43.156.15" + }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-11T16:45:41.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Add app role assignment to service principal.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "a4a12952-3467-4d48-9950-48b4b9ac87b3", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:41\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":\\\"siem2\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\",\\\"Name\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:41.9571526Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622781\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"a4a12952-3467-4d48-9950-48b4b9ac87b3\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem2\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "67.43.156.15", - "ExtendedProperties": { - "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "Office 365 Management APIs", - "env_appId": "restdirectoryservice", - "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", - "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-11T16:45:41.9571526Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", - "correlationId": "1e80f57e-764e-4c42-bead-7ccf998fe780", - "env_cloud_roleInstance": "AM5RRDSR571", - "env_cv": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e", - "resultType": "Success", - "auditEventCategory": "ApplicationManagement", - "actorUPN": "asr@testsiem.onmicrosoft.com", - "env_popSample": "0", - "env_seqNum": "34622781", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", - "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "extendedAuditEventCategory": "ServicePrincipal", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "additionalTargets": "[{\"ObjectID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"DisplayName\":\"siem2\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Name\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}]", - "env_epoch": "748B6", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" - }, - "Target": [ + "Actor": [ { - "Type": 2, - "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad" + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 }, { - "Type": 2, - "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad" + "ID": "1003200096971F55", + "Type": 3 }, { - "Type": 2, - "ID": "ServicePrincipal" + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "Type": 1, - "ID": "Office 365 Management APIs" + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 2, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2" + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 4, - "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" + "ID": "User", + "Type": 2 } ], - "RecordType": "8", + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-11T16:45:41", + "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "actorObjectClass": "User", + "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "additionalTargets": "[{\"ObjectID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"DisplayName\":\"siem2\",\"ObjectClass\":\"ServicePrincipal\",\"AppId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Name\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"}]", + "auditEventCategory": "ApplicationManagement", + "correlationId": "1e80f57e-764e-4c42-bead-7ccf998fe780", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", + "env_cloud_roleInstance": "AM5RRDSR571", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", + "env_cv": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e", + "env_epoch": "748B6", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", + "env_popSample": "0", + "env_seqNum": "34622781", + "env_time": "2020-02-11T16:45:41.9571526Z", + "env_ver": "2.1", + "extendedAuditEventCategory": "ServicePrincipal", + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "targetName": "Office 365 Management APIs", + "targetObjectId": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "targetSPN": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "teamName": "MSODS.", + "version": "2" + }, "ModifiedProperties": { - "ServicePrincipal_Name": { - "OldValue": "", - "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40" - }, - "TargetId_ServicePrincipalNames": { - "OldValue": "", - "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" + "ServicePrincipal_AppId": { + "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "OldValue": "" }, "ServicePrincipal_DisplayName": { - "OldValue": "", - "NewValue": "siem2" + "NewValue": "siem2", + "OldValue": "" }, - "ServicePrincipal_AppId": { - "OldValue": "", - "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40" + "ServicePrincipal_Name": { + "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "OldValue": "" }, "ServicePrincipal_ObjectID": { - "OldValue": "", - "NewValue": "fb91e9f0-9485-4a68-89e9-a164d20ae855" + "NewValue": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "OldValue": "" + }, + "TargetId_ServicePrincipalNames": { + "NewValue": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "OldValue": "" } }, - "Version": "1", + "ObjectId": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ + "Target": [ { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" + "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 3, - "ID": "1003200096971F55" + "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", + "Type": 2 }, { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "ServicePrincipal", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "Office 365 Management APIs", + "Type": 1 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", + "Type": 4 } ], - "CreationTime": "2020-02-11T16:45:41", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-11T16:45:41.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:47:58.413663162Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:41\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\"},{\"Name\":\"targetName\",\"Value\":\"Office 365 Management APIs\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":\\\"siem2\\\",\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\",\\\"Name\\\":\\\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:41.9571526Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622781\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"a4a12952-3467-4d48-9950-48b4b9ac87b3\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"siem2\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"OldValue\":\"\"}],\"ObjectId\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Operation\":\"Add app role assignment to service principal.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"efe101d0-818a-4f19-b2f8-53186f8218ad\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Office 365 Management APIs\",\"Type\":1},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\"Type\":2},{\"ID\":\"c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Add app role assignment to service principal.", - "id": "a4a12952-3467-4d48-9950-48b4b9ac87b3", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com" } } }, - { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, - "ip": "67.43.156.15" - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "type": "ipv4" - }, - "o365": { - "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "67.43.156.15", - "ExtendedProperties": { - "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "Microsoft Graph", - "env_appId": "restdirectoryservice", - "targetSPN": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", - "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-11T16:45:42.0571467Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "98528ef9-e89b-469a-b19b-fa8e72a00fa6", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", - "correlationId": "1e80f57e-764e-4c42-bead-7ccf998fe780", - "env_cloud_roleInstance": "AM5RRDSR571", - "env_cv": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e", - "resultType": "Success", - "actorUPN": "asr@testsiem.onmicrosoft.com", - "auditEventCategory": "ApplicationManagement", - "env_popSample": "0", - "env_seqNum": "34622817", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", - "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "extendedAuditEventCategory": "ServicePrincipal", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "additionalTargets": "[{\"ObjectID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"DisplayName\":null,\"ObjectClass\":\"ServicePrincipal\",\"AppId\":null,\"Name\":null}]", - "env_epoch": "748B6", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" - }, - "Target": [ + { + "@timestamp": "2020-02-11T16:45:42.000Z", + "client": { + "address": "67.43.156.15", + "ip": "67.43.156.15" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Add OAuth2PermissionGrant.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "db3ce560-1c2f-4c85-b305-55ad6476250f", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:42\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"},{\"Name\":\"targetName\",\"Value\":\"Microsoft Graph\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:42.0571467Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622817\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"db3ce560-1c2f-4c85-b305-55ad6476250f\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"OldValue\":\"\"}],\"ObjectId\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Operation\":\"Add OAuth2PermissionGrant.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Microsoft Graph\",\"Type\":1},{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":2},{\"ID\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, + "network": { + "type": "ipv4" + }, + "o365": { + "audit": { + "Actor": [ { - "Type": 2, - "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6" + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 }, { - "Type": 2, - "ID": "98528ef9-e89b-469a-b19b-fa8e72a00fa6" + "ID": "1003200096971F55", + "Type": 3 }, { - "Type": 2, - "ID": "ServicePrincipal" + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "Type": 1, - "ID": "Microsoft Graph" + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 2, - "ID": "00000003-0000-0000-c000-000000000000" + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 4, - "ID": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us" + "ID": "User", + "Type": 2 } ], - "RecordType": "8", + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-11T16:45:42", + "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "actorObjectClass": "User", + "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "additionalTargets": "[{\"ObjectID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"DisplayName\":null,\"ObjectClass\":\"ServicePrincipal\",\"AppId\":null,\"Name\":null}]", + "auditEventCategory": "ApplicationManagement", + "correlationId": "1e80f57e-764e-4c42-bead-7ccf998fe780", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", + "env_cloud_roleInstance": "AM5RRDSR571", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", + "env_cv": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e", + "env_epoch": "748B6", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", + "env_popSample": "0", + "env_seqNum": "34622817", + "env_time": "2020-02-11T16:45:42.0571467Z", + "env_ver": "2.1", + "extendedAuditEventCategory": "ServicePrincipal", + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "targetName": "Microsoft Graph", + "targetObjectId": "98528ef9-e89b-469a-b19b-fa8e72a00fa6", + "targetSPN": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", + "teamName": "MSODS.", + "version": "2" + }, "ModifiedProperties": { - "ServicePrincipal_Name": { - "OldValue": "", - "NewValue": "" - }, - "TargetId_ServicePrincipalNames": { - "OldValue": "", - "NewValue": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us" + "ServicePrincipal_AppId": { + "NewValue": "", + "OldValue": "" }, "ServicePrincipal_DisplayName": { - "OldValue": "", - "NewValue": "" + "NewValue": "", + "OldValue": "" }, - "ServicePrincipal_AppId": { - "OldValue": "", - "NewValue": "" + "ServicePrincipal_Name": { + "NewValue": "", + "OldValue": "" }, "ServicePrincipal_ObjectID": { - "OldValue": "", - "NewValue": "fb91e9f0-9485-4a68-89e9-a164d20ae855" + "NewValue": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "OldValue": "" + }, + "TargetId_ServicePrincipalNames": { + "NewValue": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", + "OldValue": "" } }, - "Version": "1", + "ObjectId": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ + "Target": [ { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" + "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6", + "Type": 2 }, { - "Type": 3, - "ID": "1003200096971F55" + "ID": "98528ef9-e89b-469a-b19b-fa8e72a00fa6", + "Type": 2 }, { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "ServicePrincipal", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "Microsoft Graph", + "Type": 1 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "00000003-0000-0000-c000-000000000000", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", + "Type": 4 } ], - "CreationTime": "2020-02-11T16:45:42", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-11T16:45:42.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:47:58.413664095Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:42\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"},{\"Name\":\"targetName\",\"Value\":\"Microsoft Graph\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:42.0571467Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622817\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"db3ce560-1c2f-4c85-b305-55ad6476250f\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"OldValue\":\"\"}],\"ObjectId\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Operation\":\"Add OAuth2PermissionGrant.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Microsoft Graph\",\"Type\":1},{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":2},{\"ID\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Add OAuth2PermissionGrant.", - "id": "db3ce560-1c2f-4c85-b305-55ad6476250f", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-11T16:45:42.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Add OAuth2PermissionGrant.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "db3ce560-1c2f-4c85-b305-55ad6476250f", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:42\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"},{\"Name\":\"targetName\",\"Value\":\"Microsoft Graph\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:42.0571467Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622817\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"db3ce560-1c2f-4c85-b305-55ad6476250f\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"OldValue\":\"\"}],\"ObjectId\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Operation\":\"Add OAuth2PermissionGrant.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Microsoft Graph\",\"Type\":1},{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":2},{\"ID\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "67.43.156.15", - "ExtendedProperties": { - "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "Microsoft Graph", - "env_appId": "restdirectoryservice", - "targetSPN": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", - "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-11T16:45:42.0571467Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "98528ef9-e89b-469a-b19b-fa8e72a00fa6", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", - "correlationId": "1e80f57e-764e-4c42-bead-7ccf998fe780", - "env_cloud_roleInstance": "AM5RRDSR571", - "env_cv": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e", - "resultType": "Success", - "actorUPN": "asr@testsiem.onmicrosoft.com", - "auditEventCategory": "ApplicationManagement", - "env_popSample": "0", - "env_seqNum": "34622817", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", - "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "extendedAuditEventCategory": "ServicePrincipal", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "additionalTargets": "[{\"ObjectID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"DisplayName\":null,\"ObjectClass\":\"ServicePrincipal\",\"AppId\":null,\"Name\":null}]", - "env_epoch": "748B6", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" - }, - "Target": [ + "Actor": [ { - "Type": 2, - "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6" + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 }, { - "Type": 2, - "ID": "98528ef9-e89b-469a-b19b-fa8e72a00fa6" + "ID": "1003200096971F55", + "Type": 3 }, { - "Type": 2, - "ID": "ServicePrincipal" + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "Type": 1, - "ID": "Microsoft Graph" + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 2, - "ID": "00000003-0000-0000-c000-000000000000" + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 4, - "ID": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us" + "ID": "User", + "Type": 2 } ], - "RecordType": "8", - "ModifiedProperties": { - "ServicePrincipal_Name": { - "OldValue": "", - "NewValue": "" - }, - "TargetId_ServicePrincipalNames": { - "OldValue": "", - "NewValue": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us" + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-11T16:45:42", + "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "actorObjectClass": "User", + "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "additionalTargets": "[{\"ObjectID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"DisplayName\":null,\"ObjectClass\":\"ServicePrincipal\",\"AppId\":null,\"Name\":null}]", + "auditEventCategory": "ApplicationManagement", + "correlationId": "1e80f57e-764e-4c42-bead-7ccf998fe780", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", + "env_cloud_roleInstance": "AM5RRDSR571", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", + "env_cv": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e", + "env_epoch": "748B6", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", + "env_popSample": "0", + "env_seqNum": "34622817", + "env_time": "2020-02-11T16:45:42.0571467Z", + "env_ver": "2.1", + "extendedAuditEventCategory": "ServicePrincipal", + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "targetName": "Microsoft Graph", + "targetObjectId": "98528ef9-e89b-469a-b19b-fa8e72a00fa6", + "targetSPN": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", + "teamName": "MSODS.", + "version": "2" + }, + "ModifiedProperties": { + "ServicePrincipal_AppId": { + "NewValue": "", + "OldValue": "" }, "ServicePrincipal_DisplayName": { - "OldValue": "", - "NewValue": "" + "NewValue": "", + "OldValue": "" }, - "ServicePrincipal_AppId": { - "OldValue": "", - "NewValue": "" + "ServicePrincipal_Name": { + "NewValue": "", + "OldValue": "" }, "ServicePrincipal_ObjectID": { - "OldValue": "", - "NewValue": "fb91e9f0-9485-4a68-89e9-a164d20ae855" + "NewValue": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "OldValue": "" + }, + "TargetId_ServicePrincipalNames": { + "NewValue": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", + "OldValue": "" } }, - "Version": "1", + "ObjectId": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ + "Target": [ { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" + "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6", + "Type": 2 }, { - "Type": 3, - "ID": "1003200096971F55" + "ID": "98528ef9-e89b-469a-b19b-fa8e72a00fa6", + "Type": 2 }, { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "ServicePrincipal", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "Microsoft Graph", + "Type": 1 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "00000003-0000-0000-c000-000000000000", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", + "Type": 4 } ], - "CreationTime": "2020-02-11T16:45:42", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-11T16:45:42.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:47:58.413665087Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:42\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"},{\"Name\":\"targetName\",\"Value\":\"Microsoft Graph\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:42.0571467Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622817\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"db3ce560-1c2f-4c85-b305-55ad6476250f\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"OldValue\":\"\"}],\"ObjectId\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Operation\":\"Add OAuth2PermissionGrant.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Microsoft Graph\",\"Type\":1},{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":2},{\"ID\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Add OAuth2PermissionGrant.", - "id": "db3ce560-1c2f-4c85-b305-55ad6476250f", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-11T16:45:42.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Add OAuth2PermissionGrant.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "db3ce560-1c2f-4c85-b305-55ad6476250f", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:42\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"},{\"Name\":\"targetName\",\"Value\":\"Microsoft Graph\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:42.0571467Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622817\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"db3ce560-1c2f-4c85-b305-55ad6476250f\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"OldValue\":\"\"}],\"ObjectId\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Operation\":\"Add OAuth2PermissionGrant.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Microsoft Graph\",\"Type\":1},{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":2},{\"ID\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "67.43.156.15", - "ExtendedProperties": { - "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "Microsoft Graph", - "env_appId": "restdirectoryservice", - "targetSPN": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", - "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-11T16:45:42.0571467Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "98528ef9-e89b-469a-b19b-fa8e72a00fa6", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", - "correlationId": "1e80f57e-764e-4c42-bead-7ccf998fe780", - "env_cloud_roleInstance": "AM5RRDSR571", - "env_cv": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e", - "resultType": "Success", - "actorUPN": "asr@testsiem.onmicrosoft.com", - "auditEventCategory": "ApplicationManagement", - "env_popSample": "0", - "env_seqNum": "34622817", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", - "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "extendedAuditEventCategory": "ServicePrincipal", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "additionalTargets": "[{\"ObjectID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"DisplayName\":null,\"ObjectClass\":\"ServicePrincipal\",\"AppId\":null,\"Name\":null}]", - "env_epoch": "748B6", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" - }, - "Target": [ + "Actor": [ { - "Type": 2, - "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6" + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 }, { - "Type": 2, - "ID": "98528ef9-e89b-469a-b19b-fa8e72a00fa6" + "ID": "1003200096971F55", + "Type": 3 }, { - "Type": 2, - "ID": "ServicePrincipal" + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "Type": 1, - "ID": "Microsoft Graph" + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 2, - "ID": "00000003-0000-0000-c000-000000000000" + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 4, - "ID": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us" + "ID": "User", + "Type": 2 } ], - "RecordType": "8", + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-11T16:45:42", + "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "actorObjectClass": "User", + "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "additionalTargets": "[{\"ObjectID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"DisplayName\":null,\"ObjectClass\":\"ServicePrincipal\",\"AppId\":null,\"Name\":null}]", + "auditEventCategory": "ApplicationManagement", + "correlationId": "1e80f57e-764e-4c42-bead-7ccf998fe780", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", + "env_cloud_roleInstance": "AM5RRDSR571", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", + "env_cv": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e", + "env_epoch": "748B6", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", + "env_popSample": "0", + "env_seqNum": "34622817", + "env_time": "2020-02-11T16:45:42.0571467Z", + "env_ver": "2.1", + "extendedAuditEventCategory": "ServicePrincipal", + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]", + "targetName": "Microsoft Graph", + "targetObjectId": "98528ef9-e89b-469a-b19b-fa8e72a00fa6", + "targetSPN": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", + "teamName": "MSODS.", + "version": "2" + }, "ModifiedProperties": { - "ServicePrincipal_Name": { - "OldValue": "", - "NewValue": "" - }, - "TargetId_ServicePrincipalNames": { - "OldValue": "", - "NewValue": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us" + "ServicePrincipal_AppId": { + "NewValue": "", + "OldValue": "" }, "ServicePrincipal_DisplayName": { - "OldValue": "", - "NewValue": "" + "NewValue": "", + "OldValue": "" }, - "ServicePrincipal_AppId": { - "OldValue": "", - "NewValue": "" + "ServicePrincipal_Name": { + "NewValue": "", + "OldValue": "" }, "ServicePrincipal_ObjectID": { - "OldValue": "", - "NewValue": "fb91e9f0-9485-4a68-89e9-a164d20ae855" + "NewValue": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "OldValue": "" + }, + "TargetId_ServicePrincipalNames": { + "NewValue": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", + "OldValue": "" } }, - "Version": "1", + "ObjectId": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ + "Target": [ { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" + "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6", + "Type": 2 }, { - "Type": 3, - "ID": "1003200096971F55" + "ID": "98528ef9-e89b-469a-b19b-fa8e72a00fa6", + "Type": 2 }, { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "ServicePrincipal", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "Microsoft Graph", + "Type": 1 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "00000003-0000-0000-c000-000000000000", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", + "Type": 4 } ], - "CreationTime": "2020-02-11T16:45:42", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-11T16:45:42.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:47:58.413666011Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:42\",\"ExtendedProperties\":[{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\"},{\"Name\":\"targetName\",\"Value\":\"Microsoft Graph\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ServicePrincipal.ObjectID\\\",\\\"ServicePrincipal.DisplayName\\\",\\\"ServicePrincipal.AppId\\\",\\\"ServicePrincipal.Name\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"fb91e9f0-9485-4a68-89e9-a164d20ae855\\\",\\\"DisplayName\\\":null,\\\"ObjectClass\\\":\\\"ServicePrincipal\\\",\\\"AppId\\\":null,\\\"Name\\\":null}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:42.0571467Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622817\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"db3ce560-1c2f-4c85-b305-55ad6476250f\",\"ModifiedProperties\":[{\"Name\":\"ServicePrincipal.ObjectID\",\"NewValue\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.DisplayName\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.AppId\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ServicePrincipal.Name\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"OldValue\":\"\"}],\"ObjectId\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Operation\":\"Add OAuth2PermissionGrant.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"98528ef9-e89b-469a-b19b-fa8e72a00fa6\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"Microsoft Graph\",\"Type\":1},{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":2},{\"ID\":\"00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Add OAuth2PermissionGrant.", - "id": "db3ce560-1c2f-4c85-b305-55ad6476250f", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-11T16:45:42.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Consent to application.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "24524679-8930-4afd-83b8-2dc70aa0a016", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:42\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ConsentContext.IsAdminConsent\\\",\\\"ConsentContext.IsAppOnly\\\",\\\"ConsentContext.OnBehalfOfAll\\\",\\\"ConsentContext.Tags\\\",\\\"ConsentAction.Permissions\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:42.1421458Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622848\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"24524679-8930-4afd-83b8-2dc70aa0a016\",\"ModifiedProperties\":[{\"Name\":\"ConsentContext.IsAdminConsent\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.IsAppOnly\",\"NewValue\":\"False\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.OnBehalfOfAll\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.Tags\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ConsentAction.Permissions\",\"NewValue\":\"[] =\\u003e [[Id: 8OmR-4WUaEqJ6aFk0groVfmOUpib6JpGsZv6jnKgD6Y, ClientId: fb91e9f0-9485-4a68-89e9-a164d20ae855, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; \",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Consent to application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "67.43.156.15", - "ExtendedProperties": { - "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "siem2", - "env_appId": "restdirectoryservice", - "targetSPN": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", - "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-11T16:45:42.1421458Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "fb91e9f0-9485-4a68-89e9-a164d20ae855", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", - "correlationId": "1e80f57e-764e-4c42-bead-7ccf998fe780", - "env_cloud_roleInstance": "AM5RRDSR571", - "env_cv": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e", - "resultType": "Success", - "auditEventCategory": "ApplicationManagement", - "actorUPN": "asr@testsiem.onmicrosoft.com", - "env_popSample": "0", - "env_seqNum": "34622848", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", - "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"ConsentContext.IsAdminConsent\",\"ConsentContext.IsAppOnly\",\"ConsentContext.OnBehalfOfAll\",\"ConsentContext.Tags\",\"ConsentAction.Permissions\",\"TargetId.ServicePrincipalNames\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "extendedAuditEventCategory": "ServicePrincipal", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "env_epoch": "748B6", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" - }, - "Target": [ + "Actor": [ { - "Type": 2, - "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855" + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 }, { - "Type": 2, - "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855" + "ID": "1003200096971F55", + "Type": 3 }, { - "Type": 2, - "ID": "ServicePrincipal" + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "Type": 1, - "ID": "siem2" + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 2, - "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40" + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 4, - "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40" + "ID": "User", + "Type": 2 } ], - "RecordType": "8", + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-11T16:45:42", + "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "actorObjectClass": "User", + "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "auditEventCategory": "ApplicationManagement", + "correlationId": "1e80f57e-764e-4c42-bead-7ccf998fe780", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", + "env_cloud_roleInstance": "AM5RRDSR571", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", + "env_cv": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e", + "env_epoch": "748B6", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", + "env_popSample": "0", + "env_seqNum": "34622848", + "env_time": "2020-02-11T16:45:42.1421458Z", + "env_ver": "2.1", + "extendedAuditEventCategory": "ServicePrincipal", + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"ConsentContext.IsAdminConsent\",\"ConsentContext.IsAppOnly\",\"ConsentContext.OnBehalfOfAll\",\"ConsentContext.Tags\",\"ConsentAction.Permissions\",\"TargetId.ServicePrincipalNames\"]", + "targetName": "siem2", + "targetObjectId": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "targetSPN": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "teamName": "MSODS.", + "version": "2" + }, "ModifiedProperties": { - "ConsentContext_OnBehalfOfAll": { - "OldValue": "", - "NewValue": "True" - }, "ConsentAction_Permissions": { - "OldValue": "", - "NewValue": "[] =\u003e [[Id: 8OmR-4WUaEqJ6aFk0groVfmOUpib6JpGsZv6jnKgD6Y, ClientId: fb91e9f0-9485-4a68-89e9-a164d20ae855, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; " + "NewValue": "[] =\u003e [[Id: 8OmR-4WUaEqJ6aFk0groVfmOUpib6JpGsZv6jnKgD6Y, ClientId: fb91e9f0-9485-4a68-89e9-a164d20ae855, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; ", + "OldValue": "" }, - "TargetId_ServicePrincipalNames": { - "OldValue": "", - "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40" + "ConsentContext_IsAdminConsent": { + "NewValue": "True", + "OldValue": "" }, "ConsentContext_IsAppOnly": { - "OldValue": "", - "NewValue": "False" + "NewValue": "False", + "OldValue": "" + }, + "ConsentContext_OnBehalfOfAll": { + "NewValue": "True", + "OldValue": "" }, "ConsentContext_Tags": { - "OldValue": "", - "NewValue": "" + "NewValue": "", + "OldValue": "" }, - "ConsentContext_IsAdminConsent": { - "OldValue": "", - "NewValue": "True" + "TargetId_ServicePrincipalNames": { + "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "OldValue": "" } }, - "Version": "1", + "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ + "Target": [ { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" + "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855", + "Type": 2 }, { - "Type": 3, - "ID": "1003200096971F55" + "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "Type": 2 }, { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "ServicePrincipal", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "siem2", + "Type": 1 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "Type": 4 } ], - "CreationTime": "2020-02-11T16:45:42", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-11T16:45:42.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:47:58.413667319Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:42\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ConsentContext.IsAdminConsent\\\",\\\"ConsentContext.IsAppOnly\\\",\\\"ConsentContext.OnBehalfOfAll\\\",\\\"ConsentContext.Tags\\\",\\\"ConsentAction.Permissions\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:42.1421458Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622848\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"24524679-8930-4afd-83b8-2dc70aa0a016\",\"ModifiedProperties\":[{\"Name\":\"ConsentContext.IsAdminConsent\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.IsAppOnly\",\"NewValue\":\"False\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.OnBehalfOfAll\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.Tags\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ConsentAction.Permissions\",\"NewValue\":\"[] =\\u003e [[Id: 8OmR-4WUaEqJ6aFk0groVfmOUpib6JpGsZv6jnKgD6Y, ClientId: fb91e9f0-9485-4a68-89e9-a164d20ae855, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; \",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Consent to application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Consent to application.", - "id": "24524679-8930-4afd-83b8-2dc70aa0a016", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-11T16:45:42.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Consent to application.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "24524679-8930-4afd-83b8-2dc70aa0a016", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:42\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ConsentContext.IsAdminConsent\\\",\\\"ConsentContext.IsAppOnly\\\",\\\"ConsentContext.OnBehalfOfAll\\\",\\\"ConsentContext.Tags\\\",\\\"ConsentAction.Permissions\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:42.1421458Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622848\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"24524679-8930-4afd-83b8-2dc70aa0a016\",\"ModifiedProperties\":[{\"Name\":\"ConsentContext.IsAdminConsent\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.IsAppOnly\",\"NewValue\":\"False\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.OnBehalfOfAll\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.Tags\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ConsentAction.Permissions\",\"NewValue\":\"[] =\\u003e [[Id: 8OmR-4WUaEqJ6aFk0groVfmOUpib6JpGsZv6jnKgD6Y, ClientId: fb91e9f0-9485-4a68-89e9-a164d20ae855, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; \",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Consent to application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "67.43.156.15", - "ExtendedProperties": { - "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "siem2", - "env_appId": "restdirectoryservice", - "targetSPN": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", - "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-11T16:45:42.1421458Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "fb91e9f0-9485-4a68-89e9-a164d20ae855", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", - "correlationId": "1e80f57e-764e-4c42-bead-7ccf998fe780", - "env_cloud_roleInstance": "AM5RRDSR571", - "env_cv": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e", - "resultType": "Success", - "auditEventCategory": "ApplicationManagement", - "actorUPN": "asr@testsiem.onmicrosoft.com", - "env_popSample": "0", - "env_seqNum": "34622848", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", - "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"ConsentContext.IsAdminConsent\",\"ConsentContext.IsAppOnly\",\"ConsentContext.OnBehalfOfAll\",\"ConsentContext.Tags\",\"ConsentAction.Permissions\",\"TargetId.ServicePrincipalNames\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "extendedAuditEventCategory": "ServicePrincipal", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "env_epoch": "748B6", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" - }, - "Target": [ + "Actor": [ { - "Type": 2, - "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855" + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 }, { - "Type": 2, - "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855" + "ID": "1003200096971F55", + "Type": 3 }, { - "Type": 2, - "ID": "ServicePrincipal" + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "Type": 1, - "ID": "siem2" + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 2, - "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40" + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 4, - "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40" + "ID": "User", + "Type": 2 } ], - "RecordType": "8", + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-11T16:45:42", + "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "actorObjectClass": "User", + "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "auditEventCategory": "ApplicationManagement", + "correlationId": "1e80f57e-764e-4c42-bead-7ccf998fe780", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", + "env_cloud_roleInstance": "AM5RRDSR571", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", + "env_cv": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e", + "env_epoch": "748B6", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", + "env_popSample": "0", + "env_seqNum": "34622848", + "env_time": "2020-02-11T16:45:42.1421458Z", + "env_ver": "2.1", + "extendedAuditEventCategory": "ServicePrincipal", + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"ConsentContext.IsAdminConsent\",\"ConsentContext.IsAppOnly\",\"ConsentContext.OnBehalfOfAll\",\"ConsentContext.Tags\",\"ConsentAction.Permissions\",\"TargetId.ServicePrincipalNames\"]", + "targetName": "siem2", + "targetObjectId": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "targetSPN": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "teamName": "MSODS.", + "version": "2" + }, "ModifiedProperties": { - "ConsentContext_OnBehalfOfAll": { - "OldValue": "", - "NewValue": "True" - }, "ConsentAction_Permissions": { - "OldValue": "", - "NewValue": "[] =\u003e [[Id: 8OmR-4WUaEqJ6aFk0groVfmOUpib6JpGsZv6jnKgD6Y, ClientId: fb91e9f0-9485-4a68-89e9-a164d20ae855, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; " + "NewValue": "[] =\u003e [[Id: 8OmR-4WUaEqJ6aFk0groVfmOUpib6JpGsZv6jnKgD6Y, ClientId: fb91e9f0-9485-4a68-89e9-a164d20ae855, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; ", + "OldValue": "" }, - "TargetId_ServicePrincipalNames": { - "OldValue": "", - "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40" + "ConsentContext_IsAdminConsent": { + "NewValue": "True", + "OldValue": "" }, "ConsentContext_IsAppOnly": { - "OldValue": "", - "NewValue": "False" + "NewValue": "False", + "OldValue": "" + }, + "ConsentContext_OnBehalfOfAll": { + "NewValue": "True", + "OldValue": "" }, "ConsentContext_Tags": { - "OldValue": "", - "NewValue": "" + "NewValue": "", + "OldValue": "" }, - "ConsentContext_IsAdminConsent": { - "OldValue": "", - "NewValue": "True" + "TargetId_ServicePrincipalNames": { + "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "OldValue": "" } }, - "Version": "1", + "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ + "Target": [ { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" + "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855", + "Type": 2 }, { - "Type": 3, - "ID": "1003200096971F55" + "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "Type": 2 }, { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "ServicePrincipal", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "siem2", + "Type": 1 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "Type": 4 } ], - "CreationTime": "2020-02-11T16:45:42", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-11T16:45:42.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:47:58.413668339Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:42\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ConsentContext.IsAdminConsent\\\",\\\"ConsentContext.IsAppOnly\\\",\\\"ConsentContext.OnBehalfOfAll\\\",\\\"ConsentContext.Tags\\\",\\\"ConsentAction.Permissions\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:42.1421458Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622848\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"24524679-8930-4afd-83b8-2dc70aa0a016\",\"ModifiedProperties\":[{\"Name\":\"ConsentContext.IsAdminConsent\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.IsAppOnly\",\"NewValue\":\"False\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.OnBehalfOfAll\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.Tags\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ConsentAction.Permissions\",\"NewValue\":\"[] =\\u003e [[Id: 8OmR-4WUaEqJ6aFk0groVfmOUpib6JpGsZv6jnKgD6Y, ClientId: fb91e9f0-9485-4a68-89e9-a164d20ae855, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; \",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Consent to application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Consent to application.", - "id": "24524679-8930-4afd-83b8-2dc70aa0a016", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-11T16:45:42.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Consent to application.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "24524679-8930-4afd-83b8-2dc70aa0a016", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:42\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ConsentContext.IsAdminConsent\\\",\\\"ConsentContext.IsAppOnly\\\",\\\"ConsentContext.OnBehalfOfAll\\\",\\\"ConsentContext.Tags\\\",\\\"ConsentAction.Permissions\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:42.1421458Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622848\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"24524679-8930-4afd-83b8-2dc70aa0a016\",\"ModifiedProperties\":[{\"Name\":\"ConsentContext.IsAdminConsent\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.IsAppOnly\",\"NewValue\":\"False\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.OnBehalfOfAll\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.Tags\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ConsentAction.Permissions\",\"NewValue\":\"[] =\\u003e [[Id: 8OmR-4WUaEqJ6aFk0groVfmOUpib6JpGsZv6jnKgD6Y, ClientId: fb91e9f0-9485-4a68-89e9-a164d20ae855, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; \",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Consent to application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "67.43.156.15", - "ExtendedProperties": { - "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "siem2", - "env_appId": "restdirectoryservice", - "targetSPN": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", - "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-11T16:45:42.1421458Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "fb91e9f0-9485-4a68-89e9-a164d20ae855", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", - "correlationId": "1e80f57e-764e-4c42-bead-7ccf998fe780", - "env_cloud_roleInstance": "AM5RRDSR571", - "env_cv": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e", - "resultType": "Success", - "auditEventCategory": "ApplicationManagement", - "actorUPN": "asr@testsiem.onmicrosoft.com", - "env_popSample": "0", - "env_seqNum": "34622848", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", - "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"ConsentContext.IsAdminConsent\",\"ConsentContext.IsAppOnly\",\"ConsentContext.OnBehalfOfAll\",\"ConsentContext.Tags\",\"ConsentAction.Permissions\",\"TargetId.ServicePrincipalNames\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "extendedAuditEventCategory": "ServicePrincipal", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "env_epoch": "748B6", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" - }, - "Target": [ + "Actor": [ { - "Type": 2, - "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855" + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 }, { - "Type": 2, - "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855" + "ID": "1003200096971F55", + "Type": 3 }, { - "Type": 2, - "ID": "ServicePrincipal" + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "Type": 1, - "ID": "siem2" + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 2, - "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40" + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 4, - "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40" + "ID": "User", + "Type": 2 } ], - "RecordType": "8", + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-11T16:45:42", + "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "actorObjectClass": "User", + "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "auditEventCategory": "ApplicationManagement", + "correlationId": "1e80f57e-764e-4c42-bead-7ccf998fe780", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", + "env_cloud_roleInstance": "AM5RRDSR571", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", + "env_cv": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e", + "env_epoch": "748B6", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", + "env_popSample": "0", + "env_seqNum": "34622848", + "env_time": "2020-02-11T16:45:42.1421458Z", + "env_ver": "2.1", + "extendedAuditEventCategory": "ServicePrincipal", + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"ConsentContext.IsAdminConsent\",\"ConsentContext.IsAppOnly\",\"ConsentContext.OnBehalfOfAll\",\"ConsentContext.Tags\",\"ConsentAction.Permissions\",\"TargetId.ServicePrincipalNames\"]", + "targetName": "siem2", + "targetObjectId": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "targetSPN": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "teamName": "MSODS.", + "version": "2" + }, "ModifiedProperties": { - "ConsentContext_OnBehalfOfAll": { - "OldValue": "", - "NewValue": "True" - }, "ConsentAction_Permissions": { - "OldValue": "", - "NewValue": "[] =\u003e [[Id: 8OmR-4WUaEqJ6aFk0groVfmOUpib6JpGsZv6jnKgD6Y, ClientId: fb91e9f0-9485-4a68-89e9-a164d20ae855, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; " + "NewValue": "[] =\u003e [[Id: 8OmR-4WUaEqJ6aFk0groVfmOUpib6JpGsZv6jnKgD6Y, ClientId: fb91e9f0-9485-4a68-89e9-a164d20ae855, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; ", + "OldValue": "" }, - "TargetId_ServicePrincipalNames": { - "OldValue": "", - "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40" + "ConsentContext_IsAdminConsent": { + "NewValue": "True", + "OldValue": "" }, "ConsentContext_IsAppOnly": { - "OldValue": "", - "NewValue": "False" + "NewValue": "False", + "OldValue": "" + }, + "ConsentContext_OnBehalfOfAll": { + "NewValue": "True", + "OldValue": "" }, "ConsentContext_Tags": { - "OldValue": "", - "NewValue": "" + "NewValue": "", + "OldValue": "" }, - "ConsentContext_IsAdminConsent": { - "OldValue": "", - "NewValue": "True" + "TargetId_ServicePrincipalNames": { + "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "OldValue": "" } }, - "Version": "1", + "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ + "Target": [ { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" + "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855", + "Type": 2 }, { - "Type": 3, - "ID": "1003200096971F55" + "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "Type": 2 }, { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "ServicePrincipal", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "siem2", + "Type": 1 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "Type": 4 } ], - "CreationTime": "2020-02-11T16:45:42", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-11T16:45:42.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "source": { + "ip": "67.43.156.15" }, + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", + "target": { + "id": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40" + } + } + }, + { + "@timestamp": "2020-02-11T16:45:42.000Z", "client": { "address": "67.43.156.15", "ip": "67.43.156.15" }, + "ecs": { + "version": "8.0.0" + }, "event": { - "ingested": "2022-01-02T03:47:58.413669246Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:42\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"ApplicationManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"ServicePrincipal\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"ConsentContext.IsAdminConsent\\\",\\\"ConsentContext.IsAppOnly\\\",\\\"ConsentContext.OnBehalfOfAll\\\",\\\"ConsentContext.Tags\\\",\\\"ConsentAction.Permissions\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:42.1421458Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622848\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"24524679-8930-4afd-83b8-2dc70aa0a016\",\"ModifiedProperties\":[{\"Name\":\"ConsentContext.IsAdminConsent\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.IsAppOnly\",\"NewValue\":\"False\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.OnBehalfOfAll\",\"NewValue\":\"True\",\"OldValue\":\"\"},{\"Name\":\"ConsentContext.Tags\",\"NewValue\":\"\",\"OldValue\":\"\"},{\"Name\":\"ConsentAction.Permissions\",\"NewValue\":\"[] =\\u003e [[Id: 8OmR-4WUaEqJ6aFk0groVfmOUpib6JpGsZv6jnKgD6Y, ClientId: fb91e9f0-9485-4a68-89e9-a164d20ae855, PrincipalId: , ResourceId: 98528ef9-e89b-469a-b19b-fa8e72a00fa6, ConsentType: AllPrincipals, Scope: User.Read]]; \",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Consent to application.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "action": "Add app role assignment grant to user.", + "category": [ + "web" + ], "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", + "id": "fb84e87b-9a45-49bf-91d8-30f3880ca99d", "kind": "event", - "action": "Consent to application.", - "id": "24524679-8930-4afd-83b8-2dc70aa0a016", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:42\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"UserManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"User\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"User.ObjectID\\\",\\\"User.UPN\\\",\\\"User.PUID\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"755e500a-6c03-46b0-b53b-282f23374e3b\\\",\\\"ObjectClass\\\":\\\"User\\\",\\\"UPN\\\":\\\"asr@testsiem.onmicrosoft.com\\\",\\\"PUID\\\":\\\"1003200096971F55\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:42.1421458Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622843\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"fb84e87b-9a45-49bf-91d8-30f3880ca99d\",\"ModifiedProperties\":[{\"Name\":\"User.ObjectID\",\"NewValue\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"OldValue\":\"\"},{\"Name\":\"User.UPN\",\"NewValue\":\"asr@testsiem.onmicrosoft.com\",\"OldValue\":\"\"},{\"Name\":\"User.PUID\",\"NewValue\":\"1003200096971F55\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Add app role assignment grant to user.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", "type": [ "info" - ], - "category": [ - "web" - ], - "outcome": "success" + ] }, - "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com", - "target": { - "id": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40" - } - } - }, - { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, - "ip": "67.43.156.15" + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, - "tags": [ - "preserve_original_event" - ], "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "67.43.156.15", - "ExtendedProperties": { - "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "siem2", - "env_appId": "restdirectoryservice", - "targetSPN": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", - "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-11T16:45:42.1421458Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "fb91e9f0-9485-4a68-89e9-a164d20ae855", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", - "correlationId": "1e80f57e-764e-4c42-bead-7ccf998fe780", - "env_cloud_roleInstance": "AM5RRDSR571", - "env_cv": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e", - "resultType": "Success", - "auditEventCategory": "UserManagement", - "actorUPN": "asr@testsiem.onmicrosoft.com", - "env_popSample": "0", - "env_seqNum": "34622843", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", - "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"User.ObjectID\",\"User.UPN\",\"User.PUID\",\"TargetId.ServicePrincipalNames\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "extendedAuditEventCategory": "User", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "additionalTargets": "[{\"ObjectID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"ObjectClass\":\"User\",\"UPN\":\"asr@testsiem.onmicrosoft.com\",\"PUID\":\"1003200096971F55\"}]", - "env_epoch": "748B6", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" - }, - "Target": [ + "Actor": [ { - "Type": 2, - "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855" + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 }, { - "Type": 2, - "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855" + "ID": "1003200096971F55", + "Type": 3 }, { - "Type": 2, - "ID": "ServicePrincipal" + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "Type": 1, - "ID": "siem2" + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 2, - "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40" + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 4, - "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40" + "ID": "User", + "Type": 2 } ], - "RecordType": "8", + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-11T16:45:42", + "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "actorObjectClass": "User", + "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "additionalTargets": "[{\"ObjectID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"ObjectClass\":\"User\",\"UPN\":\"asr@testsiem.onmicrosoft.com\",\"PUID\":\"1003200096971F55\"}]", + "auditEventCategory": "UserManagement", + "correlationId": "1e80f57e-764e-4c42-bead-7ccf998fe780", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", + "env_cloud_roleInstance": "AM5RRDSR571", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", + "env_cv": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e", + "env_epoch": "748B6", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", + "env_popSample": "0", + "env_seqNum": "34622843", + "env_time": "2020-02-11T16:45:42.1421458Z", + "env_ver": "2.1", + "extendedAuditEventCategory": "User", + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"User.ObjectID\",\"User.UPN\",\"User.PUID\",\"TargetId.ServicePrincipalNames\"]", + "targetName": "siem2", + "targetObjectId": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "targetSPN": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "teamName": "MSODS.", + "version": "2" + }, "ModifiedProperties": { "TargetId_ServicePrincipalNames": { - "OldValue": "", - "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40" + "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "OldValue": "" + }, + "User_ObjectID": { + "NewValue": "755e500a-6c03-46b0-b53b-282f23374e3b", + "OldValue": "" }, "User_PUID": { - "OldValue": "", - "NewValue": "1003200096971F55" + "NewValue": "1003200096971F55", + "OldValue": "" }, "User_UPN": { - "OldValue": "", - "NewValue": "asr@testsiem.onmicrosoft.com" - }, - "User_ObjectID": { - "OldValue": "", - "NewValue": "755e500a-6c03-46b0-b53b-282f23374e3b" + "NewValue": "asr@testsiem.onmicrosoft.com", + "OldValue": "" } }, - "Version": "1", + "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ + "Target": [ { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" + "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855", + "Type": 2 }, { - "Type": 3, - "ID": "1003200096971F55" + "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "Type": 2 }, { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "ServicePrincipal", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "siem2", + "Type": 1 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "Type": 4 } ], - "CreationTime": "2020-02-11T16:45:42", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-11T16:45:42.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:47:58.413670088Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:42\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"UserManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"User\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"User.ObjectID\\\",\\\"User.UPN\\\",\\\"User.PUID\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"755e500a-6c03-46b0-b53b-282f23374e3b\\\",\\\"ObjectClass\\\":\\\"User\\\",\\\"UPN\\\":\\\"asr@testsiem.onmicrosoft.com\\\",\\\"PUID\\\":\\\"1003200096971F55\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:42.1421458Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622843\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"fb84e87b-9a45-49bf-91d8-30f3880ca99d\",\"ModifiedProperties\":[{\"Name\":\"User.ObjectID\",\"NewValue\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"OldValue\":\"\"},{\"Name\":\"User.UPN\",\"NewValue\":\"asr@testsiem.onmicrosoft.com\",\"OldValue\":\"\"},{\"Name\":\"User.PUID\",\"NewValue\":\"1003200096971F55\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Add app role assignment grant to user.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Add app role assignment grant to user.", - "id": "fb84e87b-9a45-49bf-91d8-30f3880ca99d", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-11T16:45:42.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Add app role assignment grant to user.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "fb84e87b-9a45-49bf-91d8-30f3880ca99d", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:42\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"UserManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"User\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"User.ObjectID\\\",\\\"User.UPN\\\",\\\"User.PUID\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"755e500a-6c03-46b0-b53b-282f23374e3b\\\",\\\"ObjectClass\\\":\\\"User\\\",\\\"UPN\\\":\\\"asr@testsiem.onmicrosoft.com\\\",\\\"PUID\\\":\\\"1003200096971F55\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:42.1421458Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622843\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"fb84e87b-9a45-49bf-91d8-30f3880ca99d\",\"ModifiedProperties\":[{\"Name\":\"User.ObjectID\",\"NewValue\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"OldValue\":\"\"},{\"Name\":\"User.UPN\",\"NewValue\":\"asr@testsiem.onmicrosoft.com\",\"OldValue\":\"\"},{\"Name\":\"User.PUID\",\"NewValue\":\"1003200096971F55\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Add app role assignment grant to user.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "Actor": [ + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + }, + { + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 + }, + { + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-11T16:45:42", "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "siem2", - "env_appId": "restdirectoryservice", - "targetSPN": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-11T16:45:42.1421458Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "fb91e9f0-9485-4a68-89e9-a164d20ae855", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "additionalTargets": "[{\"ObjectID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"ObjectClass\":\"User\",\"UPN\":\"asr@testsiem.onmicrosoft.com\",\"PUID\":\"1003200096971F55\"}]", + "auditEventCategory": "UserManagement", "correlationId": "1e80f57e-764e-4c42-bead-7ccf998fe780", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", "env_cloud_roleInstance": "AM5RRDSR571", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", "env_cv": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e", - "resultType": "Success", - "auditEventCategory": "UserManagement", - "actorUPN": "asr@testsiem.onmicrosoft.com", + "env_epoch": "748B6", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", "env_popSample": "0", "env_seqNum": "34622843", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", + "env_time": "2020-02-11T16:45:42.1421458Z", "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"User.ObjectID\",\"User.UPN\",\"User.PUID\",\"TargetId.ServicePrincipalNames\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", "extendedAuditEventCategory": "User", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "additionalTargets": "[{\"ObjectID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"ObjectClass\":\"User\",\"UPN\":\"asr@testsiem.onmicrosoft.com\",\"PUID\":\"1003200096971F55\"}]", - "env_epoch": "748B6", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"User.ObjectID\",\"User.UPN\",\"User.PUID\",\"TargetId.ServicePrincipalNames\"]", + "targetName": "siem2", + "targetObjectId": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "targetSPN": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "teamName": "MSODS.", + "version": "2" }, - "Target": [ - { - "Type": 2, - "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855" - }, - { - "Type": 2, - "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855" - }, - { - "Type": 2, - "ID": "ServicePrincipal" - }, - { - "Type": 1, - "ID": "siem2" - }, - { - "Type": 2, - "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40" - }, - { - "Type": 4, - "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40" - } - ], - "RecordType": "8", "ModifiedProperties": { "TargetId_ServicePrincipalNames": { - "OldValue": "", - "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40" + "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "OldValue": "" + }, + "User_ObjectID": { + "NewValue": "755e500a-6c03-46b0-b53b-282f23374e3b", + "OldValue": "" }, "User_PUID": { - "OldValue": "", - "NewValue": "1003200096971F55" + "NewValue": "1003200096971F55", + "OldValue": "" }, "User_UPN": { - "OldValue": "", - "NewValue": "asr@testsiem.onmicrosoft.com" - }, - "User_ObjectID": { - "OldValue": "", - "NewValue": "755e500a-6c03-46b0-b53b-282f23374e3b" + "NewValue": "asr@testsiem.onmicrosoft.com", + "OldValue": "" } }, - "Version": "1", + "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ + "Target": [ { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" + "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855", + "Type": 2 }, { - "Type": 3, - "ID": "1003200096971F55" + "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "Type": 2 }, { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "ServicePrincipal", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "siem2", + "Type": 1 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "Type": 4 } ], - "CreationTime": "2020-02-11T16:45:42", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-11T16:45:42.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:47:58.413670929Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:42\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"UserManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"User\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"User.ObjectID\\\",\\\"User.UPN\\\",\\\"User.PUID\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"755e500a-6c03-46b0-b53b-282f23374e3b\\\",\\\"ObjectClass\\\":\\\"User\\\",\\\"UPN\\\":\\\"asr@testsiem.onmicrosoft.com\\\",\\\"PUID\\\":\\\"1003200096971F55\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:42.1421458Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622843\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"fb84e87b-9a45-49bf-91d8-30f3880ca99d\",\"ModifiedProperties\":[{\"Name\":\"User.ObjectID\",\"NewValue\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"OldValue\":\"\"},{\"Name\":\"User.UPN\",\"NewValue\":\"asr@testsiem.onmicrosoft.com\",\"OldValue\":\"\"},{\"Name\":\"User.PUID\",\"NewValue\":\"1003200096971F55\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Add app role assignment grant to user.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Add app role assignment grant to user.", - "id": "fb84e87b-9a45-49bf-91d8-30f3880ca99d", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40" } } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-11T16:45:42.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Add app role assignment grant to user.", + "category": [ + "web" + ], + "code": "AzureActiveDirectory", + "id": "fb84e87b-9a45-49bf-91d8-30f3880ca99d", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:42\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"UserManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"User\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"User.ObjectID\\\",\\\"User.UPN\\\",\\\"User.PUID\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"755e500a-6c03-46b0-b53b-282f23374e3b\\\",\\\"ObjectClass\\\":\\\"User\\\",\\\"UPN\\\":\\\"asr@testsiem.onmicrosoft.com\\\",\\\"PUID\\\":\\\"1003200096971F55\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:42.1421458Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622843\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"fb84e87b-9a45-49bf-91d8-30f3880ca99d\",\"ModifiedProperties\":[{\"Name\":\"User.ObjectID\",\"NewValue\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"OldValue\":\"\"},{\"Name\":\"User.UPN\",\"NewValue\":\"asr@testsiem.onmicrosoft.com\",\"OldValue\":\"\"},{\"Name\":\"User.PUID\",\"NewValue\":\"1003200096971F55\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Add app role assignment grant to user.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", - "ResultStatus": "Success", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "67.43.156.15", - "ExtendedProperties": { - "actorObjectClass": "User", - "teamName": "MSODS.", - "env_cloud_deploymentUnit": "R5", - "targetName": "siem2", - "env_appId": "restdirectoryservice", - "targetSPN": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", - "env_iKey": "ikey", - "env_osVer": "\u003cnull\u003e", - "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", - "env_time": "2020-02-11T16:45:42.1421458Z", - "env_cloud_role": "restdirectoryservice", - "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", - "targetObjectId": "fb91e9f0-9485-4a68-89e9-a164d20ae855", - "env_appVer": "1.0.11737.0", - "env_cloud_ver": "1.0", - "correlationId": "1e80f57e-764e-4c42-bead-7ccf998fe780", - "env_cloud_roleInstance": "AM5RRDSR571", - "env_cv": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e", - "resultType": "Success", - "auditEventCategory": "UserManagement", - "actorUPN": "asr@testsiem.onmicrosoft.com", - "env_popSample": "0", - "env_seqNum": "34622843", - "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_name": "MSO-AM5R", - "env_ver": "2.1", - "env_cloud_roleVer": "1.0.11737.0", - "env_os": "\u003cnull\u003e", - "targetIncludedUpdatedProperties": "[\"User.ObjectID\",\"User.UPN\",\"User.PUID\",\"TargetId.ServicePrincipalNames\"]", - "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", - "version": "2", - "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "extendedAuditEventCategory": "User", - "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "env_cloud_environment": "PROD", - "additionalTargets": "[{\"ObjectID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"ObjectClass\":\"User\",\"UPN\":\"asr@testsiem.onmicrosoft.com\",\"PUID\":\"1003200096971F55\"}]", - "env_epoch": "748B6", - "env_flags": "257", - "actorPUID": "1003200096971F55", - "nCloud": "\u003cnull\u003e" - }, - "Target": [ + "Actor": [ { - "Type": 2, - "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855" + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 }, { - "Type": 2, - "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855" + "ID": "1003200096971F55", + "Type": 3 }, { - "Type": 2, - "ID": "ServicePrincipal" + "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "Type": 2 }, { - "Type": 1, - "ID": "siem2" + "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 2, - "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40" + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 2 }, { - "Type": 4, - "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40" + "ID": "User", + "Type": 2 } ], - "RecordType": "8", + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "ActorIpAddress": "67.43.156.15", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-11T16:45:42", + "ExtendedProperties": { + "actorAppID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", + "actorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "actorObjectClass": "User", + "actorObjectId": "755e500a-6c03-46b0-b53b-282f23374e3b", + "actorPUID": "1003200096971F55", + "actorUPN": "asr@testsiem.onmicrosoft.com", + "additionalDetails": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}", + "additionalTargets": "[{\"ObjectID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"ObjectClass\":\"User\",\"UPN\":\"asr@testsiem.onmicrosoft.com\",\"PUID\":\"1003200096971F55\"}]", + "auditEventCategory": "UserManagement", + "correlationId": "1e80f57e-764e-4c42-bead-7ccf998fe780", + "env_appId": "restdirectoryservice", + "env_appVer": "1.0.11737.0", + "env_cloud_deploymentUnit": "R5", + "env_cloud_environment": "PROD", + "env_cloud_name": "MSO-AM5R", + "env_cloud_role": "restdirectoryservice", + "env_cloud_roleInstance": "AM5RRDSR571", + "env_cloud_roleVer": "1.0.11737.0", + "env_cloud_ver": "1.0", + "env_cv": "##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e", + "env_epoch": "748B6", + "env_flags": "257", + "env_iKey": "ikey", + "env_name": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent", + "env_os": "\u003cnull\u003e", + "env_osVer": "\u003cnull\u003e", + "env_popSample": "0", + "env_seqNum": "34622843", + "env_time": "2020-02-11T16:45:42.1421458Z", + "env_ver": "2.1", + "extendedAuditEventCategory": "User", + "nCloud": "\u003cnull\u003e", + "resultType": "Success", + "targetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "targetIncludedUpdatedProperties": "[\"User.ObjectID\",\"User.UPN\",\"User.PUID\",\"TargetId.ServicePrincipalNames\"]", + "targetName": "siem2", + "targetObjectId": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "targetSPN": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "teamName": "MSODS.", + "version": "2" + }, "ModifiedProperties": { "TargetId_ServicePrincipalNames": { - "OldValue": "", - "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40" + "NewValue": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "OldValue": "" + }, + "User_ObjectID": { + "NewValue": "755e500a-6c03-46b0-b53b-282f23374e3b", + "OldValue": "" }, "User_PUID": { - "OldValue": "", - "NewValue": "1003200096971F55" + "NewValue": "1003200096971F55", + "OldValue": "" }, "User_UPN": { - "OldValue": "", - "NewValue": "asr@testsiem.onmicrosoft.com" - }, - "User_ObjectID": { - "OldValue": "", - "NewValue": "755e500a-6c03-46b0-b53b-282f23374e3b" + "NewValue": "asr@testsiem.onmicrosoft.com", + "OldValue": "" } }, - "Version": "1", + "ObjectId": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "RecordType": "8", + "ResultStatus": "Success", "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ + "Target": [ { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" + "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855", + "Type": 2 }, { - "Type": 3, - "ID": "1003200096971F55" + "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855", + "Type": 2 }, { - "Type": 2, - "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e" + "ID": "ServicePrincipal", + "Type": 2 }, { - "Type": 2, - "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "siem2", + "Type": 1 }, { - "Type": 2, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "Type": 2 }, { - "Type": 2, - "ID": "User" + "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", + "Type": 4 } ], - "CreationTime": "2020-02-11T16:45:42", + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-11T16:45:42.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:47:58.413671780Z", - "original": "{\"Actor\":[{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3},{\"ID\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\",\"Type\":2},{\"ID\":\"User_755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:45:42\",\"ExtendedProperties\":[{\"Name\":\"resultType\",\"Value\":\"Success\"},{\"Name\":\"auditEventCategory\",\"Value\":\"UserManagement\"},{\"Name\":\"nCloud\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"actorContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"actorObjectId\",\"Value\":\"755e500a-6c03-46b0-b53b-282f23374e3b\"},{\"Name\":\"actorObjectClass\",\"Value\":\"User\"},{\"Name\":\"actorUPN\",\"Value\":\"asr@testsiem.onmicrosoft.com\"},{\"Name\":\"actorAppID\",\"Value\":\"18ed3507-a475-4ccb-b669-d66bc9f2a36e\"},{\"Name\":\"actorPUID\",\"Value\":\"1003200096971F55\"},{\"Name\":\"teamName\",\"Value\":\"MSODS.\"},{\"Name\":\"targetContextId\",\"Value\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\"},{\"Name\":\"targetObjectId\",\"Value\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"User\"},{\"Name\":\"targetSPN\",\"Value\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\"},{\"Name\":\"targetName\",\"Value\":\"siem2\"},{\"Name\":\"targetIncludedUpdatedProperties\",\"Value\":\"[\\\"User.ObjectID\\\",\\\"User.UPN\\\",\\\"User.PUID\\\",\\\"TargetId.ServicePrincipalNames\\\"]\"},{\"Name\":\"correlationId\",\"Value\":\"1e80f57e-764e-4c42-bead-7ccf998fe780\"},{\"Name\":\"version\",\"Value\":\"2\"},{\"Name\":\"additionalTargets\",\"Value\":\"[{\\\"ObjectID\\\":\\\"755e500a-6c03-46b0-b53b-282f23374e3b\\\",\\\"ObjectClass\\\":\\\"User\\\",\\\"UPN\\\":\\\"asr@testsiem.onmicrosoft.com\\\",\\\"PUID\\\":\\\"1003200096971F55\\\"}]\"},{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\\\"}\"},{\"Name\":\"env_ver\",\"Value\":\"2.1\"},{\"Name\":\"env_name\",\"Value\":\"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent\"},{\"Name\":\"env_time\",\"Value\":\"2020-02-11T16:45:42.1421458Z\"},{\"Name\":\"env_epoch\",\"Value\":\"748B6\"},{\"Name\":\"env_seqNum\",\"Value\":\"34622843\"},{\"Name\":\"env_popSample\",\"Value\":\"0\"},{\"Name\":\"env_iKey\",\"Value\":\"ikey\"},{\"Name\":\"env_flags\",\"Value\":\"257\"},{\"Name\":\"env_cv\",\"Value\":\"##66bd1840-878d-4dd1-aa64-c618c53aff2e_00000000-0000-0000-0000-000000000000_66bd1840-878d-4dd1-aa64-c618c53aff2e\"},{\"Name\":\"env_os\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_osVer\",\"Value\":\"\\u003cnull\\u003e\"},{\"Name\":\"env_appId\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_appVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_ver\",\"Value\":\"1.0\"},{\"Name\":\"env_cloud_name\",\"Value\":\"MSO-AM5R\"},{\"Name\":\"env_cloud_role\",\"Value\":\"restdirectoryservice\"},{\"Name\":\"env_cloud_roleVer\",\"Value\":\"1.0.11737.0\"},{\"Name\":\"env_cloud_roleInstance\",\"Value\":\"AM5RRDSR571\"},{\"Name\":\"env_cloud_environment\",\"Value\":\"PROD\"},{\"Name\":\"env_cloud_deploymentUnit\",\"Value\":\"R5\"}],\"Id\":\"fb84e87b-9a45-49bf-91d8-30f3880ca99d\",\"ModifiedProperties\":[{\"Name\":\"User.ObjectID\",\"NewValue\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"OldValue\":\"\"},{\"Name\":\"User.UPN\",\"NewValue\":\"asr@testsiem.onmicrosoft.com\",\"OldValue\":\"\"},{\"Name\":\"User.PUID\",\"NewValue\":\"1003200096971F55\",\"OldValue\":\"\"},{\"Name\":\"TargetId.ServicePrincipalNames\",\"NewValue\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"OldValue\":\"\"}],\"ObjectId\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Operation\":\"Add app role assignment grant to user.\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"fb91e9f0-9485-4a68-89e9-a164d20ae855\",\"Type\":2},{\"ID\":\"ServicePrincipal\",\"Type\":2},{\"ID\":\"siem2\",\"Type\":1},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":2},{\"ID\":\"7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40\",\"Type\":4}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectory", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "Add app role assignment grant to user.", - "id": "fb84e87b-9a45-49bf-91d8-30f3880ca99d", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr", "target": { "id": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40" } diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread-sts-logon-events.json-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread-sts-logon-events.json-expected.json index a707b388330..02ae28a25c5 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread-sts-logon-events.json-expected.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread-sts-logon-events.json-expected.json @@ -1,9037 +1,8140 @@ { "expected": [ { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-10T15:13:13.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "UserLoggedIn", + "category": [ + "web", + "authentication" + ], + "code": "AzureActiveDirectoryStsLogon", + "id": "ca0efc24-1b89-4962-8fef-a3ac5437302f", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"4345a7b9-9a63-4910-a426-35363201d503\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:13:13\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"ca0efc24-1b89-4962-8fef-a3ac5437302f\",\"InterSystemsId\":\"03616b3a-fc75-46a1-b34a-2d82fc8f1e7e\",\"IntraSystemId\":\"c4206c29-46c2-4a6f-a46b-735107705400\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info", + "start", + "authentication_success" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "00000002-0000-0000-c000-000000000000", - "ResultStatus": "Succeeded", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.15", + "ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-10T15:13:13", "ExtendedProperties": { "KeepMeSignedIn": "False", + "RequestType": "OAuth2:Authorize", "ResultStatusDetail": "Success", - "UserAuthenticationMethod": "9", - "RequestType": "OAuth2:Authorize" + "UserAuthenticationMethod": "9" }, + "InterSystemsId": "03616b3a-fc75-46a1-b34a-2d82fc8f1e7e", "IntraSystemId": "c4206c29-46c2-4a6f-a46b-735107705400", + "ModifiedProperties": {}, + "ObjectId": "00000002-0000-0000-c000-000000000000", + "RecordType": "15", + "ResultStatus": "Succeeded", + "SupportTicketId": "", "Target": [ { - "Type": 0, - "ID": "00000002-0000-0000-c000-000000000000" + "ID": "00000002-0000-0000-c000-000000000000", + "Type": 0 } ], - "RecordType": "15", - "ModifiedProperties": {}, - "Version": "1", - "SupportTicketId": "", "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ - { - "Type": 0, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" - }, - { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" - }, - { - "Type": 3, - "ID": "1003200096971F55" - } - ], - "CreationTime": "2020-02-10T15:13:13", - "InterSystemsId": "03616b3a-fc75-46a1-b34a-2d82fc8f1e7e", - "ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-10T15:13:13.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:48:58.934147509Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"4345a7b9-9a63-4910-a426-35363201d503\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:13:13\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"ca0efc24-1b89-4962-8fef-a3ac5437302f\",\"InterSystemsId\":\"03616b3a-fc75-46a1-b34a-2d82fc8f1e7e\",\"IntraSystemId\":\"c4206c29-46c2-4a6f-a46b-735107705400\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectoryStsLogon", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "UserLoggedIn", - "id": "ca0efc24-1b89-4962-8fef-a3ac5437302f", - "type": [ - "info", - "start", - "authentication_success" - ], - "category": [ - "web", - "authentication" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", + "domain": "testsiem.onmicrosoft.com", "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr" }, "user_agent": { + "device": { + "name": "Mac" + }, "name": "Firefox", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "os": { + "full": "Mac OS X 10.14", "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" + "version": "10.14" }, "version": "72.0." } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-12T10:53:24.000Z", + "client": { + "address": "67.43.156.13", "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "UserLoggedIn", + "category": [ + "web", + "authentication" + ], + "code": "AzureActiveDirectoryStsLogon", + "id": "b53de36d-ea71-4ebf-9b71-feb431bd4eba", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T10:53:24\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"b53de36d-ea71-4ebf-9b71-feb431bd4eba\",\"InterSystemsId\":\"05d69096-cb90-4690-ae69-8acd5177b3e0\",\"IntraSystemId\":\"ed155e11-60b3-4764-b9aa-05c35f3bb800\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info", + "start", + "authentication_success" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "00000003-0000-0000-c000-000000000000", - "ResultStatus": "Succeeded", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.13", + "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-12T10:53:24", "ExtendedProperties": { "KeepMeSignedIn": "False", + "RequestType": "OAuth2:Authorize", "ResultStatusDetail": "Redirect", - "UserAuthenticationMethod": "9", - "RequestType": "OAuth2:Authorize" + "UserAuthenticationMethod": "9" }, + "InterSystemsId": "05d69096-cb90-4690-ae69-8acd5177b3e0", "IntraSystemId": "ed155e11-60b3-4764-b9aa-05c35f3bb800", + "ModifiedProperties": {}, + "ObjectId": "00000003-0000-0000-c000-000000000000", + "RecordType": "15", + "ResultStatus": "Succeeded", + "SupportTicketId": "", "Target": [ { - "Type": 0, - "ID": "00000003-0000-0000-c000-000000000000" + "ID": "00000003-0000-0000-c000-000000000000", + "Type": 0 } ], - "RecordType": "15", - "ModifiedProperties": {}, - "Version": "1", - "SupportTicketId": "", "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ - { - "Type": 0, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" - }, - { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" - }, - { - "Type": 3, - "ID": "1003200096971F55" - } - ], - "CreationTime": "2020-02-12T10:53:24", - "InterSystemsId": "05d69096-cb90-4690-ae69-8acd5177b3e0", - "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-12T10:53:24.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.13" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.13", + "source": { "ip": "67.43.156.13" }, - "event": { - "ingested": "2022-01-02T03:48:58.934150288Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T10:53:24\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"b53de36d-ea71-4ebf-9b71-feb431bd4eba\",\"InterSystemsId\":\"05d69096-cb90-4690-ae69-8acd5177b3e0\",\"IntraSystemId\":\"ed155e11-60b3-4764-b9aa-05c35f3bb800\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectoryStsLogon", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "UserLoggedIn", - "id": "b53de36d-ea71-4ebf-9b71-feb431bd4eba", - "type": [ - "info", - "start", - "authentication_success" - ], - "category": [ - "web", - "authentication" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", + "domain": "testsiem.onmicrosoft.com", "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr" }, "user_agent": { + "device": { + "name": "Mac" + }, "name": "Firefox", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "os": { + "full": "Mac OS X 10.14", "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" + "version": "10.14" }, "version": "72.0." } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-09T15:29:01.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], - "network": { - "type": "ipv4" + "ecs": { + "version": "8.0.0" }, - "o365": { - "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "Unknown", - "ResultStatus": "Succeeded", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "67.43.156.15", - "ExtendedProperties": { - "KeepMeSignedIn": "True", - "ResultStatusDetail": "Redirect", - "UserAuthenticationMethod": "9", - "RequestType": "OAuth2:Authorize" - }, - "IntraSystemId": "6634d05a-72ec-4c27-8e69-03c57b202000", - "Target": [ - { - "Type": 0, - "ID": "Unknown" - } - ], - "RecordType": "15", - "ModifiedProperties": {}, - "Version": "1", - "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", + "event": { + "action": "UserLoggedIn", + "category": [ + "web", + "authentication" + ], + "code": "AzureActiveDirectoryStsLogon", + "id": "10e2d141-839e-4913-ab3d-6cf1f4856eae", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:29:01\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"10e2d141-839e-4913-ab3d-6cf1f4856eae\",\"InterSystemsId\":\"0f5eb16e-8b22-49bf-a927-f6f310fd5879\",\"IntraSystemId\":\"6634d05a-72ec-4c27-8e69-03c57b202000\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info", + "start", + "authentication_success" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, + "network": { + "type": "ipv4" + }, + "o365": { + "audit": { "Actor": [ { - "Type": 0, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 }, { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 }, { - "Type": 3, - "ID": "1003200096971F55" + "ID": "1003200096971F55", + "Type": 3 } ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "ActorIpAddress": "67.43.156.15", + "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "AzureActiveDirectoryEventType": "1", "CreationTime": "2020-02-09T15:29:01", + "ExtendedProperties": { + "KeepMeSignedIn": "True", + "RequestType": "OAuth2:Authorize", + "ResultStatusDetail": "Redirect", + "UserAuthenticationMethod": "9" + }, "InterSystemsId": "0f5eb16e-8b22-49bf-a927-f6f310fd5879", - "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "IntraSystemId": "6634d05a-72ec-4c27-8e69-03c57b202000", + "ModifiedProperties": {}, + "ObjectId": "Unknown", + "RecordType": "15", + "ResultStatus": "Succeeded", + "SupportTicketId": "", + "Target": [ + { + "ID": "Unknown", + "Type": 0 + } + ], + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-09T15:29:01.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:48:58.934151500Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:29:01\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"10e2d141-839e-4913-ab3d-6cf1f4856eae\",\"InterSystemsId\":\"0f5eb16e-8b22-49bf-a927-f6f310fd5879\",\"IntraSystemId\":\"6634d05a-72ec-4c27-8e69-03c57b202000\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectoryStsLogon", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "UserLoggedIn", - "id": "10e2d141-839e-4913-ab3d-6cf1f4856eae", - "type": [ - "info", - "start", - "authentication_success" - ], - "category": [ - "web", - "authentication" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", + "domain": "testsiem.onmicrosoft.com", "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr" }, "user_agent": { + "device": { + "name": "Mac" + }, "name": "Firefox", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "os": { + "full": "Mac OS X 10.14", "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" + "version": "10.14" }, "version": "72.0." } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-12T10:52:06.000Z", + "client": { + "address": "67.43.156.13", "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "UserLoggedIn", + "category": [ + "web", + "authentication" + ], + "code": "AzureActiveDirectoryStsLogon", + "id": "68b3fd99-0dae-4479-926d-03cc0073dd08", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T10:52:06\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"68b3fd99-0dae-4479-926d-03cc0073dd08\",\"InterSystemsId\":\"1150acae-a48d-4752-8847-7bacb7fe6e6c\",\"IntraSystemId\":\"1809f830-b010-4389-9607-e01ae175ca00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info", + "start", + "authentication_success" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "00000003-0000-0000-c000-000000000000", - "ResultStatus": "Succeeded", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.13", + "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-12T10:52:06", "ExtendedProperties": { "KeepMeSignedIn": "False", + "RequestType": "OAuth2:Authorize", "ResultStatusDetail": "Redirect", - "UserAuthenticationMethod": "9", - "RequestType": "OAuth2:Authorize" + "UserAuthenticationMethod": "9" }, + "InterSystemsId": "1150acae-a48d-4752-8847-7bacb7fe6e6c", "IntraSystemId": "1809f830-b010-4389-9607-e01ae175ca00", + "ModifiedProperties": {}, + "ObjectId": "00000003-0000-0000-c000-000000000000", + "RecordType": "15", + "ResultStatus": "Succeeded", + "SupportTicketId": "", "Target": [ { - "Type": 0, - "ID": "00000003-0000-0000-c000-000000000000" + "ID": "00000003-0000-0000-c000-000000000000", + "Type": 0 } ], - "RecordType": "15", - "ModifiedProperties": {}, - "Version": "1", - "SupportTicketId": "", "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ - { - "Type": 0, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" - }, - { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" - }, - { - "Type": 3, - "ID": "1003200096971F55" - } - ], - "CreationTime": "2020-02-12T10:52:06", - "InterSystemsId": "1150acae-a48d-4752-8847-7bacb7fe6e6c", - "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-12T10:52:06.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.13" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.13", + "source": { "ip": "67.43.156.13" }, - "event": { - "ingested": "2022-01-02T03:48:58.934152579Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T10:52:06\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"68b3fd99-0dae-4479-926d-03cc0073dd08\",\"InterSystemsId\":\"1150acae-a48d-4752-8847-7bacb7fe6e6c\",\"IntraSystemId\":\"1809f830-b010-4389-9607-e01ae175ca00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectoryStsLogon", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "UserLoggedIn", - "id": "68b3fd99-0dae-4479-926d-03cc0073dd08", - "type": [ - "info", - "start", - "authentication_success" - ], - "category": [ - "web", - "authentication" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", + "domain": "testsiem.onmicrosoft.com", "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr" }, "user_agent": { + "device": { + "name": "Mac" + }, "name": "Firefox", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "os": { + "full": "Mac OS X 10.14", "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" + "version": "10.14" }, "version": "72.0." } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-12T10:53:22.000Z", + "client": { + "address": "67.43.156.13", "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "UserLoggedIn", + "category": [ + "web", + "authentication" + ], + "code": "AzureActiveDirectoryStsLogon", + "id": "550af372-cdfd-4286-a1b7-d58df0dcd5d6", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T10:53:22\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"550af372-cdfd-4286-a1b7-d58df0dcd5d6\",\"InterSystemsId\":\"16e81fcc-add3-46c2-8834-10ce330ffe76\",\"IntraSystemId\":\"2a84e6ff-7340-426e-9d0d-e53092c0c600\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info", + "start", + "authentication_success" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "Unknown", - "ResultStatus": "Succeeded", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.13", + "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-12T10:53:22", "ExtendedProperties": { "KeepMeSignedIn": "False", + "RequestType": "OAuth2:Authorize", "ResultStatusDetail": "Redirect", - "UserAuthenticationMethod": "9", - "RequestType": "OAuth2:Authorize" + "UserAuthenticationMethod": "9" }, + "InterSystemsId": "16e81fcc-add3-46c2-8834-10ce330ffe76", "IntraSystemId": "2a84e6ff-7340-426e-9d0d-e53092c0c600", + "ModifiedProperties": {}, + "ObjectId": "Unknown", + "RecordType": "15", + "ResultStatus": "Succeeded", + "SupportTicketId": "", "Target": [ { - "Type": 0, - "ID": "Unknown" + "ID": "Unknown", + "Type": 0 } ], - "RecordType": "15", - "ModifiedProperties": {}, - "Version": "1", - "SupportTicketId": "", "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ - { - "Type": 0, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" - }, - { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" - }, - { - "Type": 3, - "ID": "1003200096971F55" - } - ], - "CreationTime": "2020-02-12T10:53:22", - "InterSystemsId": "16e81fcc-add3-46c2-8834-10ce330ffe76", - "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-12T10:53:22.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.13" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.13", + "source": { "ip": "67.43.156.13" }, - "event": { - "ingested": "2022-01-02T03:48:58.934153607Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T10:53:22\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"550af372-cdfd-4286-a1b7-d58df0dcd5d6\",\"InterSystemsId\":\"16e81fcc-add3-46c2-8834-10ce330ffe76\",\"IntraSystemId\":\"2a84e6ff-7340-426e-9d0d-e53092c0c600\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectoryStsLogon", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "UserLoggedIn", - "id": "550af372-cdfd-4286-a1b7-d58df0dcd5d6", - "type": [ - "info", - "start", - "authentication_success" - ], - "category": [ - "web", - "authentication" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", + "domain": "testsiem.onmicrosoft.com", "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr" }, "user_agent": { + "device": { + "name": "Mac" + }, "name": "Firefox", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "os": { + "full": "Mac OS X 10.14", "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" + "version": "10.14" }, "version": "72.0." } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-07T16:43:23.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "UserLoggedIn", + "category": [ + "web", + "authentication" + ], + "code": "AzureActiveDirectoryStsLogon", + "id": "b5f59a43-00cf-42c4-8685-a7166fd20e38", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-07T16:43:23\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"b5f59a43-00cf-42c4-8685-a7166fd20e38\",\"InterSystemsId\":\"172703f7-324e-415a-a846-c39ca97eb1c8\",\"IntraSystemId\":\"d66cd29f-596e-4878-b756-92b545d25f00\",\"ModifiedProperties\":[],\"ObjectId\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info", + "start", + "authentication_success" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "5f09333a-842c-47da-a157-57da27fcbca5", - "ResultStatus": "Succeeded", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.15", + "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-07T16:43:23", "ExtendedProperties": { "KeepMeSignedIn": "True", + "RequestType": "OAuth2:Authorize", "ResultStatusDetail": "Redirect", - "UserAuthenticationMethod": "9", - "RequestType": "OAuth2:Authorize" + "UserAuthenticationMethod": "9" }, + "InterSystemsId": "172703f7-324e-415a-a846-c39ca97eb1c8", "IntraSystemId": "d66cd29f-596e-4878-b756-92b545d25f00", + "ModifiedProperties": {}, + "ObjectId": "5f09333a-842c-47da-a157-57da27fcbca5", + "RecordType": "15", + "ResultStatus": "Succeeded", + "SupportTicketId": "", "Target": [ { - "Type": 0, - "ID": "5f09333a-842c-47da-a157-57da27fcbca5" + "ID": "5f09333a-842c-47da-a157-57da27fcbca5", + "Type": 0 } ], - "RecordType": "15", - "ModifiedProperties": {}, - "Version": "1", - "SupportTicketId": "", "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ - { - "Type": 0, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" - }, - { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" - }, - { - "Type": 3, - "ID": "1003200096971F55" - } - ], - "CreationTime": "2020-02-07T16:43:23", - "InterSystemsId": "172703f7-324e-415a-a846-c39ca97eb1c8", - "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-07T16:43:23.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:48:58.934154669Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-07T16:43:23\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"b5f59a43-00cf-42c4-8685-a7166fd20e38\",\"InterSystemsId\":\"172703f7-324e-415a-a846-c39ca97eb1c8\",\"IntraSystemId\":\"d66cd29f-596e-4878-b756-92b545d25f00\",\"ModifiedProperties\":[],\"ObjectId\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectoryStsLogon", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "UserLoggedIn", - "id": "b5f59a43-00cf-42c4-8685-a7166fd20e38", - "type": [ - "info", - "start", - "authentication_success" - ], - "category": [ - "web", - "authentication" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", + "domain": "testsiem.onmicrosoft.com", "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr" }, "user_agent": { + "device": { + "name": "Mac" + }, "name": "Firefox", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "os": { + "full": "Mac OS X 10.14", "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" + "version": "10.14" }, "version": "72.0." } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-07T16:43:41.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "UserLoggedIn", + "category": [ + "web", + "authentication" + ], + "code": "AzureActiveDirectoryStsLogon", + "id": "32e7fb94-6289-4fb4-855b-2ab78671ca4e", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-07T16:43:41\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"32e7fb94-6289-4fb4-855b-2ab78671ca4e\",\"InterSystemsId\":\"17f8756c-0bfa-49ad-8537-ada4e17a5f7d\",\"IntraSystemId\":\"1b395e92-5d02-408f-8bfe-139098a95500\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info", + "start", + "authentication_success" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "00000003-0000-0000-c000-000000000000", - "ResultStatus": "Succeeded", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.15", + "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-07T16:43:41", "ExtendedProperties": { "KeepMeSignedIn": "True", + "RequestType": "OAuth2:Authorize", "ResultStatusDetail": "Redirect", - "UserAuthenticationMethod": "9", - "RequestType": "OAuth2:Authorize" + "UserAuthenticationMethod": "9" }, + "InterSystemsId": "17f8756c-0bfa-49ad-8537-ada4e17a5f7d", "IntraSystemId": "1b395e92-5d02-408f-8bfe-139098a95500", + "ModifiedProperties": {}, + "ObjectId": "00000003-0000-0000-c000-000000000000", + "RecordType": "15", + "ResultStatus": "Succeeded", + "SupportTicketId": "", "Target": [ { - "Type": 0, - "ID": "00000003-0000-0000-c000-000000000000" + "ID": "00000003-0000-0000-c000-000000000000", + "Type": 0 } ], - "RecordType": "15", - "ModifiedProperties": {}, - "Version": "1", - "SupportTicketId": "", "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ - { - "Type": 0, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" - }, - { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" - }, - { - "Type": 3, - "ID": "1003200096971F55" - } - ], - "CreationTime": "2020-02-07T16:43:41", - "InterSystemsId": "17f8756c-0bfa-49ad-8537-ada4e17a5f7d", - "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-07T16:43:41.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:48:58.934155749Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-07T16:43:41\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"32e7fb94-6289-4fb4-855b-2ab78671ca4e\",\"InterSystemsId\":\"17f8756c-0bfa-49ad-8537-ada4e17a5f7d\",\"IntraSystemId\":\"1b395e92-5d02-408f-8bfe-139098a95500\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectoryStsLogon", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "UserLoggedIn", - "id": "32e7fb94-6289-4fb4-855b-2ab78671ca4e", - "type": [ - "info", - "start", - "authentication_success" - ], - "category": [ - "web", - "authentication" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", + "domain": "testsiem.onmicrosoft.com", "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr" }, "user_agent": { + "device": { + "name": "Mac" + }, "name": "Firefox", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "os": { + "full": "Mac OS X 10.14", "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" + "version": "10.14" }, "version": "72.0." } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-07T16:43:22.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "UserLoggedIn", + "category": [ + "web", + "authentication" + ], + "code": "AzureActiveDirectoryStsLogon", + "id": "7314a65a-f383-40fb-a0c7-00c6c4cfabc0", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-07T16:43:22\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"7314a65a-f383-40fb-a0c7-00c6c4cfabc0\",\"InterSystemsId\":\"22aac168-9d0d-4c70-b94d-adc337ab7b06\",\"IntraSystemId\":\"280b3410-9d51-4ce3-952d-5bba18ea6600\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info", + "start", + "authentication_success" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "Unknown", - "ResultStatus": "Succeeded", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.15", + "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-07T16:43:22", "ExtendedProperties": { "KeepMeSignedIn": "True", + "RequestType": "OAuth2:Authorize", "ResultStatusDetail": "Redirect", - "UserAuthenticationMethod": "9", - "RequestType": "OAuth2:Authorize" + "UserAuthenticationMethod": "9" }, + "InterSystemsId": "22aac168-9d0d-4c70-b94d-adc337ab7b06", "IntraSystemId": "280b3410-9d51-4ce3-952d-5bba18ea6600", + "ModifiedProperties": {}, + "ObjectId": "Unknown", + "RecordType": "15", + "ResultStatus": "Succeeded", + "SupportTicketId": "", "Target": [ { - "Type": 0, - "ID": "Unknown" + "ID": "Unknown", + "Type": 0 } ], - "RecordType": "15", - "ModifiedProperties": {}, - "Version": "1", - "SupportTicketId": "", "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ - { - "Type": 0, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" - }, - { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" - }, - { - "Type": 3, - "ID": "1003200096971F55" - } - ], - "CreationTime": "2020-02-07T16:43:22", - "InterSystemsId": "22aac168-9d0d-4c70-b94d-adc337ab7b06", - "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-07T16:43:22.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:48:58.934156776Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-07T16:43:22\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"7314a65a-f383-40fb-a0c7-00c6c4cfabc0\",\"InterSystemsId\":\"22aac168-9d0d-4c70-b94d-adc337ab7b06\",\"IntraSystemId\":\"280b3410-9d51-4ce3-952d-5bba18ea6600\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectoryStsLogon", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "UserLoggedIn", - "id": "7314a65a-f383-40fb-a0c7-00c6c4cfabc0", - "type": [ - "info", - "start", - "authentication_success" - ], - "category": [ - "web", - "authentication" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", + "domain": "testsiem.onmicrosoft.com", "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr" }, "user_agent": { + "device": { + "name": "Mac" + }, "name": "Firefox", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "os": { + "full": "Mac OS X 10.14", "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" + "version": "10.14" }, "version": "72.0." } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-12T10:52:05.000Z", + "client": { + "address": "67.43.156.13", "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "UserLoggedIn", + "category": [ + "web", + "authentication" + ], + "code": "AzureActiveDirectoryStsLogon", + "id": "97b494ee-9ba1-4444-b052-3459bdc9eaa5", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T10:52:05\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"97b494ee-9ba1-4444-b052-3459bdc9eaa5\",\"InterSystemsId\":\"23321532-a321-4c97-909d-9489979777d6\",\"IntraSystemId\":\"1909acba-a486-4ffc-805c-09fb73c0bf00\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info", + "start", + "authentication_success" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "Unknown", - "ResultStatus": "Succeeded", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.13", + "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-12T10:52:05", "ExtendedProperties": { "KeepMeSignedIn": "False", + "RequestType": "OAuth2:Authorize", "ResultStatusDetail": "Redirect", - "UserAuthenticationMethod": "9", - "RequestType": "OAuth2:Authorize" + "UserAuthenticationMethod": "9" }, + "InterSystemsId": "23321532-a321-4c97-909d-9489979777d6", "IntraSystemId": "1909acba-a486-4ffc-805c-09fb73c0bf00", + "ModifiedProperties": {}, + "ObjectId": "Unknown", + "RecordType": "15", + "ResultStatus": "Succeeded", + "SupportTicketId": "", "Target": [ { - "Type": 0, - "ID": "Unknown" + "ID": "Unknown", + "Type": 0 } ], - "RecordType": "15", - "ModifiedProperties": {}, - "Version": "1", - "SupportTicketId": "", "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ - { - "Type": 0, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" - }, - { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" - }, - { - "Type": 3, - "ID": "1003200096971F55" - } - ], - "CreationTime": "2020-02-12T10:52:05", - "InterSystemsId": "23321532-a321-4c97-909d-9489979777d6", - "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-12T10:52:05.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.13" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.13", + "source": { "ip": "67.43.156.13" }, - "event": { - "ingested": "2022-01-02T03:48:58.934157803Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T10:52:05\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"97b494ee-9ba1-4444-b052-3459bdc9eaa5\",\"InterSystemsId\":\"23321532-a321-4c97-909d-9489979777d6\",\"IntraSystemId\":\"1909acba-a486-4ffc-805c-09fb73c0bf00\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectoryStsLogon", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "UserLoggedIn", - "id": "97b494ee-9ba1-4444-b052-3459bdc9eaa5", - "type": [ - "info", - "start", - "authentication_success" - ], - "category": [ - "web", - "authentication" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", + "domain": "testsiem.onmicrosoft.com", "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr" }, "user_agent": { - "name": "Firefox", + "device": { + "name": "Mac" + }, + "name": "Firefox", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "os": { + "full": "Mac OS X 10.14", "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" + "version": "10.14" }, "version": "72.0." } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-07T16:43:45.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "UserLoggedIn", + "category": [ + "web", + "authentication" + ], + "code": "AzureActiveDirectoryStsLogon", + "id": "391870e6-1729-40ae-9ebb-51e0652fec9b", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"5e3ce6c0-2b1f-4285-8d4b-75ee78787346\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-07T16:43:45\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"391870e6-1729-40ae-9ebb-51e0652fec9b\",\"InterSystemsId\":\"291fb7ce-4e56-47fd-a78e-4e9012f112ab\",\"IntraSystemId\":\"9d47f3e0-1b2d-4c1c-b47b-dcf4bc4d5700\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info", + "start", + "authentication_success" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "Unknown", - "ResultStatus": "Succeeded", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.15", + "ApplicationId": "5e3ce6c0-2b1f-4285-8d4b-75ee78787346", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-07T16:43:45", "ExtendedProperties": { "KeepMeSignedIn": "True", + "RequestType": "OAuth2:Authorize", "ResultStatusDetail": "Redirect", - "UserAuthenticationMethod": "9", - "RequestType": "OAuth2:Authorize" + "UserAuthenticationMethod": "9" }, + "InterSystemsId": "291fb7ce-4e56-47fd-a78e-4e9012f112ab", "IntraSystemId": "9d47f3e0-1b2d-4c1c-b47b-dcf4bc4d5700", + "ModifiedProperties": {}, + "ObjectId": "Unknown", + "RecordType": "15", + "ResultStatus": "Succeeded", + "SupportTicketId": "", "Target": [ { - "Type": 0, - "ID": "Unknown" + "ID": "Unknown", + "Type": 0 } ], - "RecordType": "15", - "ModifiedProperties": {}, - "Version": "1", - "SupportTicketId": "", "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ - { - "Type": 0, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" - }, - { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" - }, - { - "Type": 3, - "ID": "1003200096971F55" - } - ], - "CreationTime": "2020-02-07T16:43:45", - "InterSystemsId": "291fb7ce-4e56-47fd-a78e-4e9012f112ab", - "ApplicationId": "5e3ce6c0-2b1f-4285-8d4b-75ee78787346", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-07T16:43:45.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:48:58.934158823Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"5e3ce6c0-2b1f-4285-8d4b-75ee78787346\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-07T16:43:45\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"391870e6-1729-40ae-9ebb-51e0652fec9b\",\"InterSystemsId\":\"291fb7ce-4e56-47fd-a78e-4e9012f112ab\",\"IntraSystemId\":\"9d47f3e0-1b2d-4c1c-b47b-dcf4bc4d5700\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectoryStsLogon", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "UserLoggedIn", - "id": "391870e6-1729-40ae-9ebb-51e0652fec9b", - "type": [ - "info", - "start", - "authentication_success" - ], - "category": [ - "web", - "authentication" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", + "domain": "testsiem.onmicrosoft.com", "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr" }, "user_agent": { + "device": { + "name": "Mac" + }, "name": "Firefox", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "os": { + "full": "Mac OS X 10.14", "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" + "version": "10.14" }, "version": "72.0." } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-12T10:51:49.000Z", + "client": { + "address": "67.43.156.13", "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "UserLoggedIn", + "category": [ + "web", + "authentication" + ], + "code": "AzureActiveDirectoryStsLogon", + "id": "a7538fb0-3213-41dc-ab38-1aed787e0cdc", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"00000002-0000-0ff1-ce00-000000000000\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T10:51:49\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"a7538fb0-3213-41dc-ab38-1aed787e0cdc\",\"InterSystemsId\":\"30e5377b-31d8-42c2-8170-13404afacde7\",\"IntraSystemId\":\"8971516f-3ef3-4de0-b6b8-ebfae386bc00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0ff1-ce00-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0ff1-ce00-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info", + "start", + "authentication_success" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "00000002-0000-0ff1-ce00-000000000000", - "ResultStatus": "Succeeded", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.13", + "ApplicationId": "00000002-0000-0ff1-ce00-000000000000", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-12T10:51:49", "ExtendedProperties": { "KeepMeSignedIn": "False", + "RequestType": "OAuth2:Authorize", "ResultStatusDetail": "Success", - "UserAuthenticationMethod": "9", - "RequestType": "OAuth2:Authorize" + "UserAuthenticationMethod": "9" }, + "InterSystemsId": "30e5377b-31d8-42c2-8170-13404afacde7", "IntraSystemId": "8971516f-3ef3-4de0-b6b8-ebfae386bc00", + "ModifiedProperties": {}, + "ObjectId": "00000002-0000-0ff1-ce00-000000000000", + "RecordType": "15", + "ResultStatus": "Succeeded", + "SupportTicketId": "", "Target": [ { - "Type": 0, - "ID": "00000002-0000-0ff1-ce00-000000000000" + "ID": "00000002-0000-0ff1-ce00-000000000000", + "Type": 0 } ], - "RecordType": "15", - "ModifiedProperties": {}, - "Version": "1", - "SupportTicketId": "", "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ - { - "Type": 0, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" - }, - { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" - }, - { - "Type": 3, - "ID": "1003200096971F55" - } - ], - "CreationTime": "2020-02-12T10:51:49", - "InterSystemsId": "30e5377b-31d8-42c2-8170-13404afacde7", - "ApplicationId": "00000002-0000-0ff1-ce00-000000000000", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-12T10:51:49.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.13" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.13", + "source": { "ip": "67.43.156.13" }, - "event": { - "ingested": "2022-01-02T03:48:58.934159901Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"00000002-0000-0ff1-ce00-000000000000\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T10:51:49\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"a7538fb0-3213-41dc-ab38-1aed787e0cdc\",\"InterSystemsId\":\"30e5377b-31d8-42c2-8170-13404afacde7\",\"IntraSystemId\":\"8971516f-3ef3-4de0-b6b8-ebfae386bc00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0ff1-ce00-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0ff1-ce00-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectoryStsLogon", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "UserLoggedIn", - "id": "a7538fb0-3213-41dc-ab38-1aed787e0cdc", - "type": [ - "info", - "start", - "authentication_success" - ], - "category": [ - "web", - "authentication" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", + "domain": "testsiem.onmicrosoft.com", "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr" }, "user_agent": { + "device": { + "name": "Mac" + }, "name": "Firefox", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "os": { + "full": "Mac OS X 10.14", "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" + "version": "10.14" }, "version": "72.0." } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-09T15:29:02.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], - "network": { - "type": "ipv4" + "ecs": { + "version": "8.0.0" }, - "o365": { - "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "00000003-0000-0000-c000-000000000000", - "ResultStatus": "Succeeded", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "67.43.156.15", - "ExtendedProperties": { - "KeepMeSignedIn": "True", - "ResultStatusDetail": "Redirect", - "UserAuthenticationMethod": "9", - "RequestType": "OAuth2:Authorize" - }, - "IntraSystemId": "74ab94ce-8928-4aff-8fa2-a66ad6d41f00", - "Target": [ - { - "Type": 0, - "ID": "00000003-0000-0000-c000-000000000000" - } - ], - "RecordType": "15", - "ModifiedProperties": {}, - "Version": "1", - "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", + "event": { + "action": "UserLoggedIn", + "category": [ + "web", + "authentication" + ], + "code": "AzureActiveDirectoryStsLogon", + "id": "e2a15fc0-6892-41f5-a41c-e515231cbb0a", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:29:02\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"e2a15fc0-6892-41f5-a41c-e515231cbb0a\",\"InterSystemsId\":\"32e2f533-40fb-4783-8c66-d1bad7e1cc88\",\"IntraSystemId\":\"74ab94ce-8928-4aff-8fa2-a66ad6d41f00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info", + "start", + "authentication_success" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, + "network": { + "type": "ipv4" + }, + "o365": { + "audit": { "Actor": [ { - "Type": 0, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 }, { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 }, { - "Type": 3, - "ID": "1003200096971F55" + "ID": "1003200096971F55", + "Type": 3 } ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "ActorIpAddress": "67.43.156.15", + "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "AzureActiveDirectoryEventType": "1", "CreationTime": "2020-02-09T15:29:02", + "ExtendedProperties": { + "KeepMeSignedIn": "True", + "RequestType": "OAuth2:Authorize", + "ResultStatusDetail": "Redirect", + "UserAuthenticationMethod": "9" + }, "InterSystemsId": "32e2f533-40fb-4783-8c66-d1bad7e1cc88", - "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "IntraSystemId": "74ab94ce-8928-4aff-8fa2-a66ad6d41f00", + "ModifiedProperties": {}, + "ObjectId": "00000003-0000-0000-c000-000000000000", + "RecordType": "15", + "ResultStatus": "Succeeded", + "SupportTicketId": "", + "Target": [ + { + "ID": "00000003-0000-0000-c000-000000000000", + "Type": 0 + } + ], + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-09T15:29:02.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:48:58.934161176Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:29:02\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"e2a15fc0-6892-41f5-a41c-e515231cbb0a\",\"InterSystemsId\":\"32e2f533-40fb-4783-8c66-d1bad7e1cc88\",\"IntraSystemId\":\"74ab94ce-8928-4aff-8fa2-a66ad6d41f00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectoryStsLogon", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "UserLoggedIn", - "id": "e2a15fc0-6892-41f5-a41c-e515231cbb0a", - "type": [ - "info", - "start", - "authentication_success" - ], - "category": [ - "web", - "authentication" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", + "domain": "testsiem.onmicrosoft.com", "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr" }, "user_agent": { + "device": { + "name": "Mac" + }, "name": "Firefox", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "os": { + "full": "Mac OS X 10.14", "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" + "version": "10.14" }, "version": "72.0." } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-10T15:13:08.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "UserLoggedIn", + "category": [ + "web", + "authentication" + ], + "code": "AzureActiveDirectoryStsLogon", + "id": "e11538ff-5fe1-4fdd-8c5d-219d85c47bb3", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"4345a7b9-9a63-4910-a426-35363201d503\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:13:08\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"e11538ff-5fe1-4fdd-8c5d-219d85c47bb3\",\"InterSystemsId\":\"3c5d16f4-16a6-45f4-a53d-abb86e35005b\",\"IntraSystemId\":\"f67a1615-4606-4673-b6fb-68f716345800\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info", + "start", + "authentication_success" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "00000002-0000-0000-c000-000000000000", - "ResultStatus": "Succeeded", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.15", + "ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-10T15:13:08", "ExtendedProperties": { "KeepMeSignedIn": "False", + "RequestType": "OAuth2:Authorize", "ResultStatusDetail": "Success", - "UserAuthenticationMethod": "9", - "RequestType": "OAuth2:Authorize" + "UserAuthenticationMethod": "9" }, + "InterSystemsId": "3c5d16f4-16a6-45f4-a53d-abb86e35005b", "IntraSystemId": "f67a1615-4606-4673-b6fb-68f716345800", + "ModifiedProperties": {}, + "ObjectId": "00000002-0000-0000-c000-000000000000", + "RecordType": "15", + "ResultStatus": "Succeeded", + "SupportTicketId": "", "Target": [ { - "Type": 0, - "ID": "00000002-0000-0000-c000-000000000000" + "ID": "00000002-0000-0000-c000-000000000000", + "Type": 0 } ], - "RecordType": "15", - "ModifiedProperties": {}, - "Version": "1", - "SupportTicketId": "", "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ - { - "Type": 0, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" - }, - { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" - }, - { - "Type": 3, - "ID": "1003200096971F55" - } - ], - "CreationTime": "2020-02-10T15:13:08", - "InterSystemsId": "3c5d16f4-16a6-45f4-a53d-abb86e35005b", - "ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-10T15:13:08.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:48:58.934162275Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"4345a7b9-9a63-4910-a426-35363201d503\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:13:08\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"e11538ff-5fe1-4fdd-8c5d-219d85c47bb3\",\"InterSystemsId\":\"3c5d16f4-16a6-45f4-a53d-abb86e35005b\",\"IntraSystemId\":\"f67a1615-4606-4673-b6fb-68f716345800\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectoryStsLogon", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "UserLoggedIn", - "id": "e11538ff-5fe1-4fdd-8c5d-219d85c47bb3", - "type": [ - "info", - "start", - "authentication_success" - ], - "category": [ - "web", - "authentication" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", + "domain": "testsiem.onmicrosoft.com", "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr" }, "user_agent": { + "device": { + "name": "Mac" + }, "name": "Firefox", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "os": { + "full": "Mac OS X 10.14", "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" + "version": "10.14" }, "version": "72.0." } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-07T16:43:27.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "UserLoggedIn", + "category": [ + "web", + "authentication" + ], + "code": "AzureActiveDirectoryStsLogon", + "id": "e031670b-bb84-45ee-94ff-0e70a8cd1138", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"00000002-0000-0ff1-ce00-000000000000\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-07T16:43:27\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"e031670b-bb84-45ee-94ff-0e70a8cd1138\",\"InterSystemsId\":\"40077a75-7b58-4623-a64a-f1b7de70fa54\",\"IntraSystemId\":\"4d1bd763-9b0b-4d5a-bda9-5c7a0a0a6000\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0ff1-ce00-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0ff1-ce00-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info", + "start", + "authentication_success" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "00000002-0000-0ff1-ce00-000000000000", - "ResultStatus": "Succeeded", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "67.43.156.15", - "ExtendedProperties": { - "KeepMeSignedIn": "True", - "ResultStatusDetail": "Success", - "UserAuthenticationMethod": "9", - "RequestType": "OAuth2:Authorize" - }, - "IntraSystemId": "4d1bd763-9b0b-4d5a-bda9-5c7a0a0a6000", - "Target": [ - { - "Type": 0, - "ID": "00000002-0000-0ff1-ce00-000000000000" - } - ], - "RecordType": "15", - "ModifiedProperties": {}, - "Version": "1", - "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", "Actor": [ { - "Type": 0, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 }, { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 }, { - "Type": 3, - "ID": "1003200096971F55" + "ID": "1003200096971F55", + "Type": 3 } ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "ActorIpAddress": "67.43.156.15", + "ApplicationId": "00000002-0000-0ff1-ce00-000000000000", + "AzureActiveDirectoryEventType": "1", "CreationTime": "2020-02-07T16:43:27", + "ExtendedProperties": { + "KeepMeSignedIn": "True", + "RequestType": "OAuth2:Authorize", + "ResultStatusDetail": "Success", + "UserAuthenticationMethod": "9" + }, "InterSystemsId": "40077a75-7b58-4623-a64a-f1b7de70fa54", - "ApplicationId": "00000002-0000-0ff1-ce00-000000000000", + "IntraSystemId": "4d1bd763-9b0b-4d5a-bda9-5c7a0a0a6000", + "ModifiedProperties": {}, + "ObjectId": "00000002-0000-0ff1-ce00-000000000000", + "RecordType": "15", + "ResultStatus": "Succeeded", + "SupportTicketId": "", + "Target": [ + { + "ID": "00000002-0000-0ff1-ce00-000000000000", + "Type": 0 + } + ], + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-07T16:43:27.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:48:58.934163385Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"00000002-0000-0ff1-ce00-000000000000\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-07T16:43:27\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"e031670b-bb84-45ee-94ff-0e70a8cd1138\",\"InterSystemsId\":\"40077a75-7b58-4623-a64a-f1b7de70fa54\",\"IntraSystemId\":\"4d1bd763-9b0b-4d5a-bda9-5c7a0a0a6000\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0ff1-ce00-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0ff1-ce00-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectoryStsLogon", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "UserLoggedIn", - "id": "e031670b-bb84-45ee-94ff-0e70a8cd1138", - "type": [ - "info", - "start", - "authentication_success" - ], - "category": [ - "web", - "authentication" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", + "domain": "testsiem.onmicrosoft.com", "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr" }, "user_agent": { + "device": { + "name": "Mac" + }, "name": "Firefox", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "os": { + "full": "Mac OS X 10.14", "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" + "version": "10.14" }, "version": "72.0." } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-08T14:33:54.000Z", + "client": { + "address": "67.43.156.14", "ip": "67.43.156.14" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "UserLoggedIn", + "category": [ + "web", + "authentication" + ], + "code": "AzureActiveDirectoryStsLogon", + "id": "d39944c4-6766-4a89-8d5a-c789175830ee", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.14\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.14\",\"CreationTime\":\"2020-02-08T14:33:54\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"d39944c4-6766-4a89-8d5a-c789175830ee\",\"InterSystemsId\":\"425503c9-ccbf-4674-8f1e-4d56510474fd\",\"IntraSystemId\":\"57ef1056-6ce2-424a-b241-ce3939d00900\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info", + "start", + "authentication_success" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "00000003-0000-0000-c000-000000000000", - "ResultStatus": "Succeeded", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.14", + "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-08T14:33:54", "ExtendedProperties": { "KeepMeSignedIn": "True", + "RequestType": "OAuth2:Authorize", "ResultStatusDetail": "Redirect", - "UserAuthenticationMethod": "9", - "RequestType": "OAuth2:Authorize" + "UserAuthenticationMethod": "9" }, + "InterSystemsId": "425503c9-ccbf-4674-8f1e-4d56510474fd", "IntraSystemId": "57ef1056-6ce2-424a-b241-ce3939d00900", + "ModifiedProperties": {}, + "ObjectId": "00000003-0000-0000-c000-000000000000", + "RecordType": "15", + "ResultStatus": "Succeeded", + "SupportTicketId": "", "Target": [ { - "Type": 0, - "ID": "00000003-0000-0000-c000-000000000000" + "ID": "00000003-0000-0000-c000-000000000000", + "Type": 0 } ], - "RecordType": "15", - "ModifiedProperties": {}, - "Version": "1", - "SupportTicketId": "", "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ - { - "Type": 0, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" - }, - { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" - }, - { - "Type": 3, - "ID": "1003200096971F55" - } - ], - "CreationTime": "2020-02-08T14:33:54", - "InterSystemsId": "425503c9-ccbf-4674-8f1e-4d56510474fd", - "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-08T14:33:54.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.14" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.14", + "source": { "ip": "67.43.156.14" }, - "event": { - "ingested": "2022-01-02T03:48:58.934164417Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.14\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.14\",\"CreationTime\":\"2020-02-08T14:33:54\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"d39944c4-6766-4a89-8d5a-c789175830ee\",\"InterSystemsId\":\"425503c9-ccbf-4674-8f1e-4d56510474fd\",\"IntraSystemId\":\"57ef1056-6ce2-424a-b241-ce3939d00900\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectoryStsLogon", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "UserLoggedIn", - "id": "d39944c4-6766-4a89-8d5a-c789175830ee", - "type": [ - "info", - "start", - "authentication_success" - ], - "category": [ - "web", - "authentication" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", + "domain": "testsiem.onmicrosoft.com", "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr" }, "user_agent": { + "device": { + "name": "Mac" + }, "name": "Firefox", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "os": { + "full": "Mac OS X 10.14", "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" + "version": "10.14" }, "version": "72.0." } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-10T15:13:12.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "UserLoggedIn", + "category": [ + "web", + "authentication" + ], + "code": "AzureActiveDirectoryStsLogon", + "id": "6f2b7716-1acc-450d-ae13-afad7e02d07e", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"4345a7b9-9a63-4910-a426-35363201d503\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:13:12\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"6f2b7716-1acc-450d-ae13-afad7e02d07e\",\"InterSystemsId\":\"4409eeeb-0ca5-42dd-99d9-4a6b2fabfa4f\",\"IntraSystemId\":\"0c8fcffc-a810-4a85-b8e2-3a2fda925c00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info", + "start", + "authentication_success" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "00000002-0000-0000-c000-000000000000", - "ResultStatus": "Succeeded", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.15", + "ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-10T15:13:12", "ExtendedProperties": { "KeepMeSignedIn": "False", + "RequestType": "OAuth2:Authorize", "ResultStatusDetail": "Success", - "UserAuthenticationMethod": "9", - "RequestType": "OAuth2:Authorize" + "UserAuthenticationMethod": "9" }, + "InterSystemsId": "4409eeeb-0ca5-42dd-99d9-4a6b2fabfa4f", "IntraSystemId": "0c8fcffc-a810-4a85-b8e2-3a2fda925c00", + "ModifiedProperties": {}, + "ObjectId": "00000002-0000-0000-c000-000000000000", + "RecordType": "15", + "ResultStatus": "Succeeded", + "SupportTicketId": "", "Target": [ { - "Type": 0, - "ID": "00000002-0000-0000-c000-000000000000" + "ID": "00000002-0000-0000-c000-000000000000", + "Type": 0 } ], - "RecordType": "15", - "ModifiedProperties": {}, - "Version": "1", - "SupportTicketId": "", "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ - { - "Type": 0, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" - }, - { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" - }, - { - "Type": 3, - "ID": "1003200096971F55" - } - ], - "CreationTime": "2020-02-10T15:13:12", - "InterSystemsId": "4409eeeb-0ca5-42dd-99d9-4a6b2fabfa4f", - "ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-10T15:13:12.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:48:58.934165544Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"4345a7b9-9a63-4910-a426-35363201d503\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:13:12\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"6f2b7716-1acc-450d-ae13-afad7e02d07e\",\"InterSystemsId\":\"4409eeeb-0ca5-42dd-99d9-4a6b2fabfa4f\",\"IntraSystemId\":\"0c8fcffc-a810-4a85-b8e2-3a2fda925c00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectoryStsLogon", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "UserLoggedIn", - "id": "6f2b7716-1acc-450d-ae13-afad7e02d07e", - "type": [ - "info", - "start", - "authentication_success" - ], - "category": [ - "web", - "authentication" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", + "domain": "testsiem.onmicrosoft.com", "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr" }, "user_agent": { + "device": { + "name": "Mac" + }, "name": "Firefox", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "os": { + "full": "Mac OS X 10.14", "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" + "version": "10.14" }, "version": "72.0." } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-12T21:38:35.000Z", + "client": { + "address": "67.43.156.13", "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "UserLoggedIn", + "category": [ + "web", + "authentication" + ], + "code": "AzureActiveDirectoryStsLogon", + "id": "47f3c440-3fb7-4b5e-9c20-455470b289d2", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T21:38:35\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"47f3c440-3fb7-4b5e-9c20-455470b289d2\",\"InterSystemsId\":\"4542ce7e-270b-435e-8f81-ee23ea74be75\",\"IntraSystemId\":\"9718abaa-220e-49c5-8c9b-588d32b8db00\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info", + "start", + "authentication_success" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "Unknown", - "ResultStatus": "Succeeded", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.13", + "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-12T21:38:35", "ExtendedProperties": { "KeepMeSignedIn": "False", + "RequestType": "OAuth2:Authorize", "ResultStatusDetail": "Redirect", - "UserAuthenticationMethod": "9", - "RequestType": "OAuth2:Authorize" + "UserAuthenticationMethod": "9" }, + "InterSystemsId": "4542ce7e-270b-435e-8f81-ee23ea74be75", "IntraSystemId": "9718abaa-220e-49c5-8c9b-588d32b8db00", + "ModifiedProperties": {}, + "ObjectId": "Unknown", + "RecordType": "15", + "ResultStatus": "Succeeded", + "SupportTicketId": "", "Target": [ { - "Type": 0, - "ID": "Unknown" + "ID": "Unknown", + "Type": 0 } ], - "RecordType": "15", - "ModifiedProperties": {}, - "Version": "1", - "SupportTicketId": "", "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ - { - "Type": 0, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" - }, - { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" - }, - { - "Type": 3, - "ID": "1003200096971F55" - } - ], - "CreationTime": "2020-02-12T21:38:35", - "InterSystemsId": "4542ce7e-270b-435e-8f81-ee23ea74be75", - "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-12T21:38:35.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.13" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.13", + "source": { "ip": "67.43.156.13" }, - "event": { - "ingested": "2022-01-02T03:48:58.934166711Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T21:38:35\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"47f3c440-3fb7-4b5e-9c20-455470b289d2\",\"InterSystemsId\":\"4542ce7e-270b-435e-8f81-ee23ea74be75\",\"IntraSystemId\":\"9718abaa-220e-49c5-8c9b-588d32b8db00\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectoryStsLogon", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "UserLoggedIn", - "id": "47f3c440-3fb7-4b5e-9c20-455470b289d2", - "type": [ - "info", - "start", - "authentication_success" - ], - "category": [ - "web", - "authentication" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", + "domain": "testsiem.onmicrosoft.com", "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr" }, "user_agent": { + "device": { + "name": "Mac" + }, "name": "Firefox", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "os": { + "full": "Mac OS X 10.14", "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" + "version": "10.14" }, "version": "72.0." } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-08T14:38:40.000Z", + "client": { + "address": "67.43.156.14", "ip": "67.43.156.14" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "UserLoggedIn", + "category": [ + "web", + "authentication" + ], + "code": "AzureActiveDirectoryStsLogon", + "id": "5a3435d0-229a-41c8-bd21-b4f2b662d0f6", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.14\",\"ApplicationId\":\"80ccca67-54bd-44ab-8625-4b79c4dc7775\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.14\",\"CreationTime\":\"2020-02-08T14:38:40\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"5a3435d0-229a-41c8-bd21-b4f2b662d0f6\",\"InterSystemsId\":\"4836e306-1460-4f34-ab55-a74c9a14f50d\",\"IntraSystemId\":\"2fde8302-c39e-40b6-9c7f-1bb9d4800a00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info", + "start", + "authentication_success" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "00000002-0000-0000-c000-000000000000", - "ResultStatus": "Succeeded", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.14", + "ApplicationId": "80ccca67-54bd-44ab-8625-4b79c4dc7775", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-08T14:38:40", "ExtendedProperties": { "KeepMeSignedIn": "True", + "RequestType": "OAuth2:Authorize", "ResultStatusDetail": "Success", - "UserAuthenticationMethod": "9", - "RequestType": "OAuth2:Authorize" + "UserAuthenticationMethod": "9" }, + "InterSystemsId": "4836e306-1460-4f34-ab55-a74c9a14f50d", "IntraSystemId": "2fde8302-c39e-40b6-9c7f-1bb9d4800a00", + "ModifiedProperties": {}, + "ObjectId": "00000002-0000-0000-c000-000000000000", + "RecordType": "15", + "ResultStatus": "Succeeded", + "SupportTicketId": "", "Target": [ { - "Type": 0, - "ID": "00000002-0000-0000-c000-000000000000" + "ID": "00000002-0000-0000-c000-000000000000", + "Type": 0 } ], - "RecordType": "15", - "ModifiedProperties": {}, - "Version": "1", - "SupportTicketId": "", "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ - { - "Type": 0, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" - }, - { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" - }, - { - "Type": 3, - "ID": "1003200096971F55" - } - ], - "CreationTime": "2020-02-08T14:38:40", - "InterSystemsId": "4836e306-1460-4f34-ab55-a74c9a14f50d", - "ApplicationId": "80ccca67-54bd-44ab-8625-4b79c4dc7775", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-08T14:38:40.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.14" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.14", + "source": { "ip": "67.43.156.14" }, - "event": { - "ingested": "2022-01-02T03:48:58.934167732Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.14\",\"ApplicationId\":\"80ccca67-54bd-44ab-8625-4b79c4dc7775\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.14\",\"CreationTime\":\"2020-02-08T14:38:40\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"5a3435d0-229a-41c8-bd21-b4f2b662d0f6\",\"InterSystemsId\":\"4836e306-1460-4f34-ab55-a74c9a14f50d\",\"IntraSystemId\":\"2fde8302-c39e-40b6-9c7f-1bb9d4800a00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectoryStsLogon", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "UserLoggedIn", - "id": "5a3435d0-229a-41c8-bd21-b4f2b662d0f6", - "type": [ - "info", - "start", - "authentication_success" - ], - "category": [ - "web", - "authentication" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", + "domain": "testsiem.onmicrosoft.com", "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr" }, "user_agent": { + "device": { + "name": "Mac" + }, "name": "Firefox", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "os": { + "full": "Mac OS X 10.14", "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" + "version": "10.14" }, "version": "72.0." } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-10T15:13:16.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "UserLoggedIn", + "category": [ + "web", + "authentication" + ], + "code": "AzureActiveDirectoryStsLogon", + "id": "5aff2d1c-b203-46a6-96f0-b8f908f0e968", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"4345a7b9-9a63-4910-a426-35363201d503\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:13:16\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"5aff2d1c-b203-46a6-96f0-b8f908f0e968\",\"InterSystemsId\":\"4a50a549-adf3-4a22-9037-7fd8cd3d0116\",\"IntraSystemId\":\"1d856a16-b179-41ab-9c0d-af1d2b925100\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info", + "start", + "authentication_success" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "00000002-0000-0000-c000-000000000000", - "ResultStatus": "Succeeded", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.15", + "ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-10T15:13:16", "ExtendedProperties": { "KeepMeSignedIn": "False", + "RequestType": "OAuth2:Authorize", "ResultStatusDetail": "Success", - "UserAuthenticationMethod": "9", - "RequestType": "OAuth2:Authorize" + "UserAuthenticationMethod": "9" }, + "InterSystemsId": "4a50a549-adf3-4a22-9037-7fd8cd3d0116", "IntraSystemId": "1d856a16-b179-41ab-9c0d-af1d2b925100", + "ModifiedProperties": {}, + "ObjectId": "00000002-0000-0000-c000-000000000000", + "RecordType": "15", + "ResultStatus": "Succeeded", + "SupportTicketId": "", "Target": [ { - "Type": 0, - "ID": "00000002-0000-0000-c000-000000000000" + "ID": "00000002-0000-0000-c000-000000000000", + "Type": 0 } ], - "RecordType": "15", - "ModifiedProperties": {}, - "Version": "1", - "SupportTicketId": "", "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ - { - "Type": 0, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" - }, - { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" - }, - { - "Type": 3, - "ID": "1003200096971F55" - } - ], - "CreationTime": "2020-02-10T15:13:16", - "InterSystemsId": "4a50a549-adf3-4a22-9037-7fd8cd3d0116", - "ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-10T15:13:16.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:48:58.934168760Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"4345a7b9-9a63-4910-a426-35363201d503\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:13:16\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"5aff2d1c-b203-46a6-96f0-b8f908f0e968\",\"InterSystemsId\":\"4a50a549-adf3-4a22-9037-7fd8cd3d0116\",\"IntraSystemId\":\"1d856a16-b179-41ab-9c0d-af1d2b925100\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectoryStsLogon", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "UserLoggedIn", - "id": "5aff2d1c-b203-46a6-96f0-b8f908f0e968", - "type": [ - "info", - "start", - "authentication_success" - ], - "category": [ - "web", - "authentication" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", + "domain": "testsiem.onmicrosoft.com", "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr" }, "user_agent": { + "device": { + "name": "Mac" + }, "name": "Firefox", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "os": { + "full": "Mac OS X 10.14", "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" + "version": "10.14" }, "version": "72.0." } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-10T15:13:16.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "UserLoggedIn", + "category": [ + "web", + "authentication" + ], + "code": "AzureActiveDirectoryStsLogon", + "id": "3d8033cf-eecd-4eee-87a5-795efd8a1d3d", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"4345a7b9-9a63-4910-a426-35363201d503\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:13:16\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"3d8033cf-eecd-4eee-87a5-795efd8a1d3d\",\"InterSystemsId\":\"4e44a55e-9c0d-4cea-b000-1b79e96dcf57\",\"IntraSystemId\":\"fc33c54e-38b9-4ef2-a4ee-a3a324a45500\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info", + "start", + "authentication_success" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "00000002-0000-0000-c000-000000000000", - "ResultStatus": "Succeeded", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.15", + "ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-10T15:13:16", "ExtendedProperties": { "KeepMeSignedIn": "False", + "RequestType": "OAuth2:Authorize", "ResultStatusDetail": "Success", - "UserAuthenticationMethod": "9", - "RequestType": "OAuth2:Authorize" + "UserAuthenticationMethod": "9" }, + "InterSystemsId": "4e44a55e-9c0d-4cea-b000-1b79e96dcf57", "IntraSystemId": "fc33c54e-38b9-4ef2-a4ee-a3a324a45500", + "ModifiedProperties": {}, + "ObjectId": "00000002-0000-0000-c000-000000000000", + "RecordType": "15", + "ResultStatus": "Succeeded", + "SupportTicketId": "", "Target": [ { - "Type": 0, - "ID": "00000002-0000-0000-c000-000000000000" + "ID": "00000002-0000-0000-c000-000000000000", + "Type": 0 } ], - "RecordType": "15", - "ModifiedProperties": {}, - "Version": "1", - "SupportTicketId": "", "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ - { - "Type": 0, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" - }, - { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" - }, - { - "Type": 3, - "ID": "1003200096971F55" - } - ], - "CreationTime": "2020-02-10T15:13:16", - "InterSystemsId": "4e44a55e-9c0d-4cea-b000-1b79e96dcf57", - "ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-10T15:13:16.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:48:58.934169837Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"4345a7b9-9a63-4910-a426-35363201d503\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:13:16\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"3d8033cf-eecd-4eee-87a5-795efd8a1d3d\",\"InterSystemsId\":\"4e44a55e-9c0d-4cea-b000-1b79e96dcf57\",\"IntraSystemId\":\"fc33c54e-38b9-4ef2-a4ee-a3a324a45500\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectoryStsLogon", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "UserLoggedIn", - "id": "3d8033cf-eecd-4eee-87a5-795efd8a1d3d", - "type": [ - "info", - "start", - "authentication_success" - ], - "category": [ - "web", - "authentication" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", + "domain": "testsiem.onmicrosoft.com", "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr" }, "user_agent": { + "device": { + "name": "Mac" + }, "name": "Firefox", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "os": { + "full": "Mac OS X 10.14", "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" + "version": "10.14" }, "version": "72.0." } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-12T21:38:25.000Z", + "client": { + "address": "67.43.156.13", "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], - "network": { - "type": "ipv4" + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "UserLoggedIn", + "category": [ + "web", + "authentication" + ], + "code": "AzureActiveDirectoryStsLogon", + "id": "8bd0a250-74f6-4eeb-ba20-c5bdbd977013", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T21:38:25\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"8bd0a250-74f6-4eeb-ba20-c5bdbd977013\",\"InterSystemsId\":\"4e91c3e1-819e-4ebc-ae68-2037cfc2db92\",\"IntraSystemId\":\"a063e495-5883-4837-8186-5828f9f2d500\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info", + "start", + "authentication_success" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, + "network": { + "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "Unknown", - "ResultStatus": "Succeeded", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.13", + "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-12T21:38:25", "ExtendedProperties": { "KeepMeSignedIn": "False", + "RequestType": "OAuth2:Authorize", "ResultStatusDetail": "Redirect", - "UserAuthenticationMethod": "9", - "RequestType": "OAuth2:Authorize" + "UserAuthenticationMethod": "9" }, + "InterSystemsId": "4e91c3e1-819e-4ebc-ae68-2037cfc2db92", "IntraSystemId": "a063e495-5883-4837-8186-5828f9f2d500", + "ModifiedProperties": {}, + "ObjectId": "Unknown", + "RecordType": "15", + "ResultStatus": "Succeeded", + "SupportTicketId": "", "Target": [ { - "Type": 0, - "ID": "Unknown" + "ID": "Unknown", + "Type": 0 } ], - "RecordType": "15", - "ModifiedProperties": {}, - "Version": "1", - "SupportTicketId": "", "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ - { - "Type": 0, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" - }, - { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" - }, - { - "Type": 3, - "ID": "1003200096971F55" - } - ], - "CreationTime": "2020-02-12T21:38:25", - "InterSystemsId": "4e91c3e1-819e-4ebc-ae68-2037cfc2db92", - "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-12T21:38:25.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.13" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.13", + "source": { "ip": "67.43.156.13" }, - "event": { - "ingested": "2022-01-02T03:48:58.934170906Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T21:38:25\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"8bd0a250-74f6-4eeb-ba20-c5bdbd977013\",\"InterSystemsId\":\"4e91c3e1-819e-4ebc-ae68-2037cfc2db92\",\"IntraSystemId\":\"a063e495-5883-4837-8186-5828f9f2d500\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectoryStsLogon", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "UserLoggedIn", - "id": "8bd0a250-74f6-4eeb-ba20-c5bdbd977013", - "type": [ - "info", - "start", - "authentication_success" - ], - "category": [ - "web", - "authentication" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", + "domain": "testsiem.onmicrosoft.com", "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr" }, "user_agent": { + "device": { + "name": "Mac" + }, "name": "Firefox", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "os": { + "full": "Mac OS X 10.14", "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" + "version": "10.14" }, "version": "72.0." } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-07T16:44:04.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "UserLoggedIn", + "category": [ + "web", + "authentication" + ], + "code": "AzureActiveDirectoryStsLogon", + "id": "a6fc9a9b-3b7e-4d33-8c0c-1d33d023e558", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"08e18876-6177-487e-b8b5-cf950c1e598c\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-07T16:44:04\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"a6fc9a9b-3b7e-4d33-8c0c-1d33d023e558\",\"InterSystemsId\":\"50d648cb-466d-4cf4-b2f8-3b7e84f47040\",\"IntraSystemId\":\"64613cae-510d-4a52-b486-070b775e5800\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0ff1-ce00-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0ff1-ce00-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info", + "start", + "authentication_success" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "00000003-0000-0ff1-ce00-000000000000", - "ResultStatus": "Succeeded", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.15", + "ApplicationId": "08e18876-6177-487e-b8b5-cf950c1e598c", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-07T16:44:04", "ExtendedProperties": { "KeepMeSignedIn": "True", + "RequestType": "OAuth2:Authorize", "ResultStatusDetail": "Redirect", - "UserAuthenticationMethod": "9", - "RequestType": "OAuth2:Authorize" + "UserAuthenticationMethod": "9" }, + "InterSystemsId": "50d648cb-466d-4cf4-b2f8-3b7e84f47040", "IntraSystemId": "64613cae-510d-4a52-b486-070b775e5800", + "ModifiedProperties": {}, + "ObjectId": "00000003-0000-0ff1-ce00-000000000000", + "RecordType": "15", + "ResultStatus": "Succeeded", + "SupportTicketId": "", "Target": [ { - "Type": 0, - "ID": "00000003-0000-0ff1-ce00-000000000000" + "ID": "00000003-0000-0ff1-ce00-000000000000", + "Type": 0 } ], - "RecordType": "15", - "ModifiedProperties": {}, - "Version": "1", - "SupportTicketId": "", "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ - { - "Type": 0, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" - }, - { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" - }, - { - "Type": 3, - "ID": "1003200096971F55" - } - ], - "CreationTime": "2020-02-07T16:44:04", - "InterSystemsId": "50d648cb-466d-4cf4-b2f8-3b7e84f47040", - "ApplicationId": "08e18876-6177-487e-b8b5-cf950c1e598c", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-07T16:44:04.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:48:58.934171945Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"08e18876-6177-487e-b8b5-cf950c1e598c\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-07T16:44:04\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"a6fc9a9b-3b7e-4d33-8c0c-1d33d023e558\",\"InterSystemsId\":\"50d648cb-466d-4cf4-b2f8-3b7e84f47040\",\"IntraSystemId\":\"64613cae-510d-4a52-b486-070b775e5800\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0ff1-ce00-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0ff1-ce00-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectoryStsLogon", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "UserLoggedIn", - "id": "a6fc9a9b-3b7e-4d33-8c0c-1d33d023e558", - "type": [ - "info", - "start", - "authentication_success" - ], - "category": [ - "web", - "authentication" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", + "domain": "testsiem.onmicrosoft.com", "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr" }, "user_agent": { + "device": { + "name": "Mac" + }, "name": "Firefox", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "os": { + "full": "Mac OS X 10.14", "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" + "version": "10.14" }, "version": "72.0." } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-12T10:51:45.000Z", + "client": { + "address": "67.43.156.13", "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "UserLoggedIn", + "category": [ + "web", + "authentication" + ], + "code": "AzureActiveDirectoryStsLogon", + "id": "19d57a4a-d32e-4dc6-971f-3491bc440023", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"4345a7b9-9a63-4910-a426-35363201d503\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T10:51:45\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"19d57a4a-d32e-4dc6-971f-3491bc440023\",\"InterSystemsId\":\"5a453031-0cc3-4577-a589-4c3bf37eed78\",\"IntraSystemId\":\"814a32f0-27fd-4e82-855c-13da15a4c300\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info", + "start", + "authentication_success" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "00000002-0000-0000-c000-000000000000", - "ResultStatus": "Succeeded", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "67.43.156.13", - "ExtendedProperties": { - "KeepMeSignedIn": "False", - "ResultStatusDetail": "Success", - "UserAuthenticationMethod": "9", - "RequestType": "OAuth2:Authorize" - }, - "IntraSystemId": "814a32f0-27fd-4e82-855c-13da15a4c300", - "Target": [ - { - "Type": 0, - "ID": "00000002-0000-0000-c000-000000000000" - } - ], - "RecordType": "15", - "ModifiedProperties": {}, - "Version": "1", - "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", "Actor": [ { - "Type": 0, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 }, { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 }, { - "Type": 3, - "ID": "1003200096971F55" + "ID": "1003200096971F55", + "Type": 3 } ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "ActorIpAddress": "67.43.156.13", + "ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503", + "AzureActiveDirectoryEventType": "1", "CreationTime": "2020-02-12T10:51:45", + "ExtendedProperties": { + "KeepMeSignedIn": "False", + "RequestType": "OAuth2:Authorize", + "ResultStatusDetail": "Success", + "UserAuthenticationMethod": "9" + }, "InterSystemsId": "5a453031-0cc3-4577-a589-4c3bf37eed78", - "ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503", + "IntraSystemId": "814a32f0-27fd-4e82-855c-13da15a4c300", + "ModifiedProperties": {}, + "ObjectId": "00000002-0000-0000-c000-000000000000", + "RecordType": "15", + "ResultStatus": "Succeeded", + "SupportTicketId": "", + "Target": [ + { + "ID": "00000002-0000-0000-c000-000000000000", + "Type": 0 + } + ], + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-12T10:51:45.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.13" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.13", + "source": { "ip": "67.43.156.13" }, - "event": { - "ingested": "2022-01-02T03:48:58.934173044Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"4345a7b9-9a63-4910-a426-35363201d503\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T10:51:45\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"19d57a4a-d32e-4dc6-971f-3491bc440023\",\"InterSystemsId\":\"5a453031-0cc3-4577-a589-4c3bf37eed78\",\"IntraSystemId\":\"814a32f0-27fd-4e82-855c-13da15a4c300\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectoryStsLogon", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "UserLoggedIn", - "id": "19d57a4a-d32e-4dc6-971f-3491bc440023", - "type": [ - "info", - "start", - "authentication_success" - ], - "category": [ - "web", - "authentication" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", + "domain": "testsiem.onmicrosoft.com", "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr" }, "user_agent": { + "device": { + "name": "Mac" + }, "name": "Firefox", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "os": { + "full": "Mac OS X 10.14", "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" + "version": "10.14" }, "version": "72.0." } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-10T15:13:01.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "UserLoggedIn", + "category": [ + "web", + "authentication" + ], + "code": "AzureActiveDirectoryStsLogon", + "id": "0b158f74-e223-43c8-9cfd-5f4442f29fc7", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"4345a7b9-9a63-4910-a426-35363201d503\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:13:01\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"0b158f74-e223-43c8-9cfd-5f4442f29fc7\",\"InterSystemsId\":\"5cd6215d-e206-4c3f-805d-6e386cbdab7a\",\"IntraSystemId\":\"9c218a27-ed51-4011-8383-e76850e85000\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info", + "start", + "authentication_success" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "00000002-0000-0000-c000-000000000000", - "ResultStatus": "Succeeded", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.15", + "ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-10T15:13:01", "ExtendedProperties": { "KeepMeSignedIn": "False", + "RequestType": "OAuth2:Authorize", "ResultStatusDetail": "Success", - "UserAuthenticationMethod": "9", - "RequestType": "OAuth2:Authorize" + "UserAuthenticationMethod": "9" }, + "InterSystemsId": "5cd6215d-e206-4c3f-805d-6e386cbdab7a", "IntraSystemId": "9c218a27-ed51-4011-8383-e76850e85000", + "ModifiedProperties": {}, + "ObjectId": "00000002-0000-0000-c000-000000000000", + "RecordType": "15", + "ResultStatus": "Succeeded", + "SupportTicketId": "", "Target": [ { - "Type": 0, - "ID": "00000002-0000-0000-c000-000000000000" + "ID": "00000002-0000-0000-c000-000000000000", + "Type": 0 } ], - "RecordType": "15", - "ModifiedProperties": {}, - "Version": "1", - "SupportTicketId": "", "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ - { - "Type": 0, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" - }, - { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" - }, - { - "Type": 3, - "ID": "1003200096971F55" - } - ], - "CreationTime": "2020-02-10T15:13:01", - "InterSystemsId": "5cd6215d-e206-4c3f-805d-6e386cbdab7a", - "ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-10T15:13:01.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:48:58.934174531Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"4345a7b9-9a63-4910-a426-35363201d503\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:13:01\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"0b158f74-e223-43c8-9cfd-5f4442f29fc7\",\"InterSystemsId\":\"5cd6215d-e206-4c3f-805d-6e386cbdab7a\",\"IntraSystemId\":\"9c218a27-ed51-4011-8383-e76850e85000\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectoryStsLogon", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "UserLoggedIn", - "id": "0b158f74-e223-43c8-9cfd-5f4442f29fc7", - "type": [ - "info", - "start", - "authentication_success" - ], - "category": [ - "web", - "authentication" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", + "domain": "testsiem.onmicrosoft.com", "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr" }, "user_agent": { + "device": { + "name": "Mac" + }, "name": "Firefox", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "os": { + "full": "Mac OS X 10.14", "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" + "version": "10.14" }, "version": "72.0." } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-07T16:43:51.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "UserLoggedIn", + "category": [ + "web", + "authentication" + ], + "code": "AzureActiveDirectoryStsLogon", + "id": "4819a0c2-2050-4549-ab66-f5b90cbbcc5a", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"00000003-0000-0ff1-ce00-000000000000\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-07T16:43:51\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"4819a0c2-2050-4549-ab66-f5b90cbbcc5a\",\"InterSystemsId\":\"612b339f-1088-a000-f25f-9c8af4d57894\",\"IntraSystemId\":\"c847a864-4ba2-4d8b-a9f2-5f1c1c5c5e00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0ff1-ce00-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0ff1-ce00-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info", + "start", + "authentication_success" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "00000003-0000-0ff1-ce00-000000000000", - "ResultStatus": "Succeeded", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.15", + "ApplicationId": "00000003-0000-0ff1-ce00-000000000000", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-07T16:43:51", "ExtendedProperties": { "KeepMeSignedIn": "True", + "RequestType": "OAuth2:Authorize", "ResultStatusDetail": "Success", - "UserAuthenticationMethod": "9", - "RequestType": "OAuth2:Authorize" + "UserAuthenticationMethod": "9" }, + "InterSystemsId": "612b339f-1088-a000-f25f-9c8af4d57894", "IntraSystemId": "c847a864-4ba2-4d8b-a9f2-5f1c1c5c5e00", + "ModifiedProperties": {}, + "ObjectId": "00000003-0000-0ff1-ce00-000000000000", + "RecordType": "15", + "ResultStatus": "Succeeded", + "SupportTicketId": "", "Target": [ { - "Type": 0, - "ID": "00000003-0000-0ff1-ce00-000000000000" + "ID": "00000003-0000-0ff1-ce00-000000000000", + "Type": 0 } ], - "RecordType": "15", - "ModifiedProperties": {}, - "Version": "1", - "SupportTicketId": "", "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ - { - "Type": 0, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" - }, - { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" - }, - { - "Type": 3, - "ID": "1003200096971F55" - } - ], - "CreationTime": "2020-02-07T16:43:51", - "InterSystemsId": "612b339f-1088-a000-f25f-9c8af4d57894", - "ApplicationId": "00000003-0000-0ff1-ce00-000000000000", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-07T16:43:51.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:48:58.934175560Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"00000003-0000-0ff1-ce00-000000000000\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-07T16:43:51\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"4819a0c2-2050-4549-ab66-f5b90cbbcc5a\",\"InterSystemsId\":\"612b339f-1088-a000-f25f-9c8af4d57894\",\"IntraSystemId\":\"c847a864-4ba2-4d8b-a9f2-5f1c1c5c5e00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0ff1-ce00-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0ff1-ce00-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectoryStsLogon", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "UserLoggedIn", - "id": "4819a0c2-2050-4549-ab66-f5b90cbbcc5a", - "type": [ - "info", - "start", - "authentication_success" - ], - "category": [ - "web", - "authentication" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", + "domain": "testsiem.onmicrosoft.com", "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr" }, "user_agent": { + "device": { + "name": "Mac" + }, "name": "Firefox", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "os": { + "full": "Mac OS X 10.14", "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" + "version": "10.14" }, "version": "72.0." } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-12T21:38:29.000Z", + "client": { + "address": "67.43.156.13", "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "UserLoggedIn", + "category": [ + "web", + "authentication" + ], + "code": "AzureActiveDirectoryStsLogon", + "id": "e94002d9-f6e8-46f9-8702-2a29e908e73d", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"80ccca67-54bd-44ab-8625-4b79c4dc7775\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T21:38:29\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"e94002d9-f6e8-46f9-8702-2a29e908e73d\",\"InterSystemsId\":\"61eb5713-2687-4c00-a7b2-fde4788c395b\",\"IntraSystemId\":\"3db9a461-6dd1-4950-b3e3-fbe8c2d5c700\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info", + "start", + "authentication_success" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "00000002-0000-0000-c000-000000000000", - "ResultStatus": "Succeeded", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.13", + "ApplicationId": "80ccca67-54bd-44ab-8625-4b79c4dc7775", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-12T21:38:29", "ExtendedProperties": { "KeepMeSignedIn": "False", + "RequestType": "OAuth2:Authorize", "ResultStatusDetail": "Success", - "UserAuthenticationMethod": "9", - "RequestType": "OAuth2:Authorize" + "UserAuthenticationMethod": "9" }, + "InterSystemsId": "61eb5713-2687-4c00-a7b2-fde4788c395b", "IntraSystemId": "3db9a461-6dd1-4950-b3e3-fbe8c2d5c700", + "ModifiedProperties": {}, + "ObjectId": "00000002-0000-0000-c000-000000000000", + "RecordType": "15", + "ResultStatus": "Succeeded", + "SupportTicketId": "", "Target": [ { - "Type": 0, - "ID": "00000002-0000-0000-c000-000000000000" + "ID": "00000002-0000-0000-c000-000000000000", + "Type": 0 } ], - "RecordType": "15", - "ModifiedProperties": {}, - "Version": "1", - "SupportTicketId": "", "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ - { - "Type": 0, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" - }, - { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" - }, - { - "Type": 3, - "ID": "1003200096971F55" - } - ], - "CreationTime": "2020-02-12T21:38:29", - "InterSystemsId": "61eb5713-2687-4c00-a7b2-fde4788c395b", - "ApplicationId": "80ccca67-54bd-44ab-8625-4b79c4dc7775", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-12T21:38:29.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.13" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.13", + "source": { "ip": "67.43.156.13" }, - "event": { - "ingested": "2022-01-02T03:48:58.934176644Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"80ccca67-54bd-44ab-8625-4b79c4dc7775\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T21:38:29\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"e94002d9-f6e8-46f9-8702-2a29e908e73d\",\"InterSystemsId\":\"61eb5713-2687-4c00-a7b2-fde4788c395b\",\"IntraSystemId\":\"3db9a461-6dd1-4950-b3e3-fbe8c2d5c700\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectoryStsLogon", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "UserLoggedIn", - "id": "e94002d9-f6e8-46f9-8702-2a29e908e73d", - "type": [ - "info", - "start", - "authentication_success" - ], - "category": [ - "web", - "authentication" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", + "domain": "testsiem.onmicrosoft.com", "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr" }, "user_agent": { + "device": { + "name": "Mac" + }, "name": "Firefox", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "os": { + "full": "Mac OS X 10.14", "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" + "version": "10.14" }, "version": "72.0." } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-12T21:38:37.000Z", + "client": { + "address": "67.43.156.13", "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "UserLoggedIn", + "category": [ + "web", + "authentication" + ], + "code": "AzureActiveDirectoryStsLogon", + "id": "1ca4f684-3a34-44a8-99b8-064d1071768a", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T21:38:37\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"1ca4f684-3a34-44a8-99b8-064d1071768a\",\"InterSystemsId\":\"61f81224-65fd-4c1b-b388-ee0e25485191\",\"IntraSystemId\":\"dc0cc415-9a00-470d-bda3-867e11fdd400\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info", + "start", + "authentication_success" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "00000003-0000-0000-c000-000000000000", - "ResultStatus": "Succeeded", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.13", + "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-12T21:38:37", "ExtendedProperties": { "KeepMeSignedIn": "False", + "RequestType": "OAuth2:Authorize", "ResultStatusDetail": "Redirect", - "UserAuthenticationMethod": "9", - "RequestType": "OAuth2:Authorize" + "UserAuthenticationMethod": "9" }, + "InterSystemsId": "61f81224-65fd-4c1b-b388-ee0e25485191", "IntraSystemId": "dc0cc415-9a00-470d-bda3-867e11fdd400", + "ModifiedProperties": {}, + "ObjectId": "00000003-0000-0000-c000-000000000000", + "RecordType": "15", + "ResultStatus": "Succeeded", + "SupportTicketId": "", "Target": [ { - "Type": 0, - "ID": "00000003-0000-0000-c000-000000000000" + "ID": "00000003-0000-0000-c000-000000000000", + "Type": 0 } ], - "RecordType": "15", - "ModifiedProperties": {}, - "Version": "1", - "SupportTicketId": "", "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ - { - "Type": 0, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" - }, - { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" - }, - { - "Type": 3, - "ID": "1003200096971F55" - } - ], - "CreationTime": "2020-02-12T21:38:37", - "InterSystemsId": "61f81224-65fd-4c1b-b388-ee0e25485191", - "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-12T21:38:37.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.13" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.13", + "source": { "ip": "67.43.156.13" }, - "event": { - "ingested": "2022-01-02T03:48:58.934177689Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T21:38:37\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"1ca4f684-3a34-44a8-99b8-064d1071768a\",\"InterSystemsId\":\"61f81224-65fd-4c1b-b388-ee0e25485191\",\"IntraSystemId\":\"dc0cc415-9a00-470d-bda3-867e11fdd400\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectoryStsLogon", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "UserLoggedIn", - "id": "1ca4f684-3a34-44a8-99b8-064d1071768a", - "type": [ - "info", - "start", - "authentication_success" - ], - "category": [ - "web", - "authentication" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", + "domain": "testsiem.onmicrosoft.com", "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr" }, "user_agent": { + "device": { + "name": "Mac" + }, "name": "Firefox", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "os": { + "full": "Mac OS X 10.14", "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" + "version": "10.14" }, "version": "72.0." } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-12T10:51:50.000Z", + "client": { + "address": "67.43.156.13", "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "UserLoggedIn", + "category": [ + "web", + "authentication" + ], + "code": "AzureActiveDirectoryStsLogon", + "id": "3f6c8eb2-c64b-4dc5-b8fd-be252f8e09c2", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T10:51:50\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"3f6c8eb2-c64b-4dc5-b8fd-be252f8e09c2\",\"InterSystemsId\":\"661f2330-3e04-483d-9781-caaa4543cc13\",\"IntraSystemId\":\"01c15486-46e2-487a-91f5-11445da0b600\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info", + "start", + "authentication_success" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "00000003-0000-0000-c000-000000000000", - "ResultStatus": "Succeeded", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.13", + "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-12T10:51:50", "ExtendedProperties": { "KeepMeSignedIn": "False", + "RequestType": "OAuth2:Authorize", "ResultStatusDetail": "Redirect", - "UserAuthenticationMethod": "9", - "RequestType": "OAuth2:Authorize" + "UserAuthenticationMethod": "9" }, + "InterSystemsId": "661f2330-3e04-483d-9781-caaa4543cc13", "IntraSystemId": "01c15486-46e2-487a-91f5-11445da0b600", + "ModifiedProperties": {}, + "ObjectId": "00000003-0000-0000-c000-000000000000", + "RecordType": "15", + "ResultStatus": "Succeeded", + "SupportTicketId": "", "Target": [ { - "Type": 0, - "ID": "00000003-0000-0000-c000-000000000000" + "ID": "00000003-0000-0000-c000-000000000000", + "Type": 0 } ], - "RecordType": "15", - "ModifiedProperties": {}, - "Version": "1", - "SupportTicketId": "", "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ - { - "Type": 0, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" - }, - { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" - }, - { - "Type": 3, - "ID": "1003200096971F55" - } - ], - "CreationTime": "2020-02-12T10:51:50", - "InterSystemsId": "661f2330-3e04-483d-9781-caaa4543cc13", - "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-12T10:51:50.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.13" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.13", + "source": { "ip": "67.43.156.13" }, - "event": { - "ingested": "2022-01-02T03:48:58.934178729Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T10:51:50\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"3f6c8eb2-c64b-4dc5-b8fd-be252f8e09c2\",\"InterSystemsId\":\"661f2330-3e04-483d-9781-caaa4543cc13\",\"IntraSystemId\":\"01c15486-46e2-487a-91f5-11445da0b600\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectoryStsLogon", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "UserLoggedIn", - "id": "3f6c8eb2-c64b-4dc5-b8fd-be252f8e09c2", - "type": [ - "info", - "start", - "authentication_success" - ], - "category": [ - "web", - "authentication" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", + "domain": "testsiem.onmicrosoft.com", "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr" }, "user_agent": { + "device": { + "name": "Mac" + }, "name": "Firefox", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "os": { + "full": "Mac OS X 10.14", "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" + "version": "10.14" }, "version": "72.0." } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-10T15:13:42.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "UserLoggedIn", + "category": [ + "web", + "authentication" + ], + "code": "AzureActiveDirectoryStsLogon", + "id": "b290b902-b6f2-49f6-b7f8-ea1541d85c8c", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:13:42\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"b290b902-b6f2-49f6-b7f8-ea1541d85c8c\",\"InterSystemsId\":\"68d7eaa4-aa57-4508-9792-09e80c911aa1\",\"IntraSystemId\":\"1590b91f-bffe-4cd8-9028-de52692f5400\",\"ModifiedProperties\":[],\"ObjectId\":\"0f698dd4-f011-4d23-a33e-b36416dcb1e6\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"0f698dd4-f011-4d23-a33e-b36416dcb1e6\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info", + "start", + "authentication_success" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "0f698dd4-f011-4d23-a33e-b36416dcb1e6", - "ResultStatus": "Succeeded", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.15", + "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-10T15:13:42", "ExtendedProperties": { "KeepMeSignedIn": "False", + "RequestType": "OAuth2:Authorize", "ResultStatusDetail": "Redirect", - "UserAuthenticationMethod": "9", - "RequestType": "OAuth2:Authorize" + "UserAuthenticationMethod": "9" }, + "InterSystemsId": "68d7eaa4-aa57-4508-9792-09e80c911aa1", "IntraSystemId": "1590b91f-bffe-4cd8-9028-de52692f5400", + "ModifiedProperties": {}, + "ObjectId": "0f698dd4-f011-4d23-a33e-b36416dcb1e6", + "RecordType": "15", + "ResultStatus": "Succeeded", + "SupportTicketId": "", "Target": [ { - "Type": 0, - "ID": "0f698dd4-f011-4d23-a33e-b36416dcb1e6" + "ID": "0f698dd4-f011-4d23-a33e-b36416dcb1e6", + "Type": 0 } ], - "RecordType": "15", - "ModifiedProperties": {}, - "Version": "1", - "SupportTicketId": "", "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ - { - "Type": 0, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" - }, - { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" - }, - { - "Type": 3, - "ID": "1003200096971F55" - } - ], - "CreationTime": "2020-02-10T15:13:42", - "InterSystemsId": "68d7eaa4-aa57-4508-9792-09e80c911aa1", - "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-10T15:13:42.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:48:58.934179782Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:13:42\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"b290b902-b6f2-49f6-b7f8-ea1541d85c8c\",\"InterSystemsId\":\"68d7eaa4-aa57-4508-9792-09e80c911aa1\",\"IntraSystemId\":\"1590b91f-bffe-4cd8-9028-de52692f5400\",\"ModifiedProperties\":[],\"ObjectId\":\"0f698dd4-f011-4d23-a33e-b36416dcb1e6\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"0f698dd4-f011-4d23-a33e-b36416dcb1e6\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectoryStsLogon", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "UserLoggedIn", - "id": "b290b902-b6f2-49f6-b7f8-ea1541d85c8c", - "type": [ - "info", - "start", - "authentication_success" - ], - "category": [ - "web", - "authentication" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", + "domain": "testsiem.onmicrosoft.com", "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr" }, "user_agent": { + "device": { + "name": "Mac" + }, "name": "Firefox", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "os": { + "full": "Mac OS X 10.14", "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" + "version": "10.14" }, "version": "72.0." } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-07T16:42:59.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], - "network": { - "type": "ipv4" - }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "UserLoggedIn", + "category": [ + "web", + "authentication" + ], + "code": "AzureActiveDirectoryStsLogon", + "id": "b0c1c4a7-c6db-4f14-b628-54e37a7a6785", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"4345a7b9-9a63-4910-a426-35363201d503\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-07T16:42:59\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"RequestType\",\"Value\":\"Login:login\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"}],\"Id\":\"b0c1c4a7-c6db-4f14-b628-54e37a7a6785\",\"InterSystemsId\":\"6ae96167-2df2-425c-9f91-27e6345eb782\",\"IntraSystemId\":\"f54da4fe-0a54-45f3-b6ea-39f873eb6000\",\"LogonError\":\"FlowTokenExpired\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info", + "start", + "authentication_success" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, + "network": { + "type": "ipv4" + }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "00000002-0000-0000-c000-000000000000", - "ResultStatus": "Succeeded", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "67.43.156.15", - "ExtendedProperties": { - "ResultStatusDetail": "Success", - "RequestType": "Login:login" - }, - "IntraSystemId": "f54da4fe-0a54-45f3-b6ea-39f873eb6000", - "Target": [ - { - "Type": 0, - "ID": "00000002-0000-0000-c000-000000000000" - } - ], - "RecordType": "15", - "ModifiedProperties": {}, - "Version": "1", - "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", "Actor": [ { - "Type": 0, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 }, { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 }, { - "Type": 3, - "ID": "1003200096971F55" + "ID": "1003200096971F55", + "Type": 3 } ], - "LogonError": "FlowTokenExpired", + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "ActorIpAddress": "67.43.156.15", + "ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503", + "AzureActiveDirectoryEventType": "1", "CreationTime": "2020-02-07T16:42:59", + "ExtendedProperties": { + "RequestType": "Login:login", + "ResultStatusDetail": "Success" + }, "InterSystemsId": "6ae96167-2df2-425c-9f91-27e6345eb782", - "ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503", + "IntraSystemId": "f54da4fe-0a54-45f3-b6ea-39f873eb6000", + "LogonError": "FlowTokenExpired", + "ModifiedProperties": {}, + "ObjectId": "00000002-0000-0000-c000-000000000000", + "RecordType": "15", + "ResultStatus": "Succeeded", + "SupportTicketId": "", + "Target": [ + { + "ID": "00000002-0000-0000-c000-000000000000", + "Type": 0 + } + ], + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-07T16:42:59.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:48:58.934180832Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"4345a7b9-9a63-4910-a426-35363201d503\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-07T16:42:59\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"RequestType\",\"Value\":\"Login:login\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"}],\"Id\":\"b0c1c4a7-c6db-4f14-b628-54e37a7a6785\",\"InterSystemsId\":\"6ae96167-2df2-425c-9f91-27e6345eb782\",\"IntraSystemId\":\"f54da4fe-0a54-45f3-b6ea-39f873eb6000\",\"LogonError\":\"FlowTokenExpired\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectoryStsLogon", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "UserLoggedIn", - "id": "b0c1c4a7-c6db-4f14-b628-54e37a7a6785", - "type": [ - "info", - "start", - "authentication_success" - ], - "category": [ - "web", - "authentication" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", + "domain": "testsiem.onmicrosoft.com", "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr" }, "user_agent": { + "device": { + "name": "Mac" + }, "name": "Firefox", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "os": { + "full": "Mac OS X 10.14", "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" + "version": "10.14" }, "version": "72.0." } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-07T16:43:02.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "UserLoginFailed", + "category": [ + "web", + "authentication" + ], + "code": "AzureActiveDirectoryStsLogon", + "id": "82d834e4-f6f2-476a-902e-e1e9fd6f87d8", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"4345a7b9-9a63-4910-a426-35363201d503\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-07T16:43:02\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"FlowTokenScenario\",\"Value\":\"Login\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"1\"},{\"Name\":\"RequestType\",\"Value\":\"Login:login\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"}],\"Id\":\"82d834e4-f6f2-476a-902e-e1e9fd6f87d8\",\"InterSystemsId\":\"6ae96167-2df2-425c-9f91-27e6345eb782\",\"IntraSystemId\":\"7fa5e138-ac87-4063-a278-56c6c6965e00\",\"LogonError\":\"UserStrongAuthClientAuthNRequiredInterrupt\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoginFailed\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Failed\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "failure", + "provider": "AzureActiveDirectory", + "type": [ + "info", + "start", + "authentication_failure" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "00000002-0000-0000-c000-000000000000", - "ResultStatus": "Failed", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.15", + "ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-07T16:43:02", "ExtendedProperties": { - "ResultStatusDetail": "Success", - "UserAuthenticationMethod": "1", "FlowTokenScenario": "Login", - "RequestType": "Login:login" + "RequestType": "Login:login", + "ResultStatusDetail": "Success", + "UserAuthenticationMethod": "1" }, + "InterSystemsId": "6ae96167-2df2-425c-9f91-27e6345eb782", "IntraSystemId": "7fa5e138-ac87-4063-a278-56c6c6965e00", + "LogonError": "UserStrongAuthClientAuthNRequiredInterrupt", + "ModifiedProperties": {}, + "ObjectId": "00000002-0000-0000-c000-000000000000", + "RecordType": "15", + "ResultStatus": "Failed", + "SupportTicketId": "", "Target": [ { - "Type": 0, - "ID": "00000002-0000-0000-c000-000000000000" + "ID": "00000002-0000-0000-c000-000000000000", + "Type": 0 } ], - "RecordType": "15", - "ModifiedProperties": {}, - "Version": "1", - "SupportTicketId": "", "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ - { - "Type": 0, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" - }, - { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" - }, - { - "Type": 3, - "ID": "1003200096971F55" - } - ], - "LogonError": "UserStrongAuthClientAuthNRequiredInterrupt", - "CreationTime": "2020-02-07T16:43:02", - "InterSystemsId": "6ae96167-2df2-425c-9f91-27e6345eb782", - "ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-07T16:43:02.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:48:58.934181927Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"4345a7b9-9a63-4910-a426-35363201d503\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-07T16:43:02\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"FlowTokenScenario\",\"Value\":\"Login\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"1\"},{\"Name\":\"RequestType\",\"Value\":\"Login:login\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"}],\"Id\":\"82d834e4-f6f2-476a-902e-e1e9fd6f87d8\",\"InterSystemsId\":\"6ae96167-2df2-425c-9f91-27e6345eb782\",\"IntraSystemId\":\"7fa5e138-ac87-4063-a278-56c6c6965e00\",\"LogonError\":\"UserStrongAuthClientAuthNRequiredInterrupt\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoginFailed\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Failed\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectoryStsLogon", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "UserLoginFailed", - "id": "82d834e4-f6f2-476a-902e-e1e9fd6f87d8", - "type": [ - "info", - "start", - "authentication_failure" - ], - "category": [ - "web", - "authentication" - ], - "outcome": "failure" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", + "domain": "testsiem.onmicrosoft.com", "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr" }, "user_agent": { + "device": { + "name": "Mac" + }, "name": "Firefox", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "os": { + "full": "Mac OS X 10.14", "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" + "version": "10.14" }, "version": "72.0." } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-12T21:38:19.000Z", + "client": { + "address": "67.43.156.13", "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], - "network": { - "type": "ipv4" + "ecs": { + "version": "8.0.0" }, - "o365": { - "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "Unknown", - "ResultStatus": "Succeeded", - "UserKey": "Not Available", - "ActorIpAddress": "67.43.156.13", - "ExtendedProperties": { - "ResultStatusDetail": "Success", - "RequestType": "OAuth2:Logout" - }, - "IntraSystemId": "0fee3b91-5e56-45f6-9b3c-792602b1e500", - "Target": [ - { - "Type": 0, - "ID": "Unknown" - } - ], - "RecordType": "15", - "ModifiedProperties": {}, - "Version": "1", - "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "Unknown", + "event": { + "action": "UserLoggedIn", + "category": [ + "web", + "authentication" + ], + "code": "AzureActiveDirectoryStsLogon", + "id": "e5e2c41a-55ea-4681-9d64-78ddd7145bd2", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"Unknown\",\"Type\":0}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T21:38:19\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Logout\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"}],\"Id\":\"e5e2c41a-55ea-4681-9d64-78ddd7145bd2\",\"InterSystemsId\":\"6b9a8662-857f-45e4-bbb2-d106d5aab41e\",\"IntraSystemId\":\"0fee3b91-5e56-45f6-9b3c-792602b1e500\",\"LogonError\":\"None\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"Unknown\",\"UserKey\":\"Not Available\",\"UserType\":5,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info", + "start", + "authentication_success" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, + "network": { + "type": "ipv4" + }, + "o365": { + "audit": { "Actor": [ { - "Type": 0, - "ID": "Unknown" + "ID": "Unknown", + "Type": 0 } ], - "LogonError": "None", + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "ActorIpAddress": "67.43.156.13", + "ApplicationId": "", + "AzureActiveDirectoryEventType": "1", "CreationTime": "2020-02-12T21:38:19", + "ExtendedProperties": { + "RequestType": "OAuth2:Logout", + "ResultStatusDetail": "Success" + }, "InterSystemsId": "6b9a8662-857f-45e4-bbb2-d106d5aab41e", - "ApplicationId": "", + "IntraSystemId": "0fee3b91-5e56-45f6-9b3c-792602b1e500", + "LogonError": "None", + "ModifiedProperties": {}, + "ObjectId": "Unknown", + "RecordType": "15", + "ResultStatus": "Succeeded", + "SupportTicketId": "", + "Target": [ + { + "ID": "Unknown", + "Type": 0 + } + ], + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "Unknown", + "UserKey": "Not Available", "UserType": "5", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-12T21:38:19.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.13", + "source": { "ip": "67.43.156.13" }, - "event": { - "ingested": "2022-01-02T03:48:58.934183055Z", - "original": "{\"Actor\":[{\"ID\":\"Unknown\",\"Type\":0}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T21:38:19\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Logout\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"}],\"Id\":\"e5e2c41a-55ea-4681-9d64-78ddd7145bd2\",\"InterSystemsId\":\"6b9a8662-857f-45e4-bbb2-d106d5aab41e\",\"IntraSystemId\":\"0fee3b91-5e56-45f6-9b3c-792602b1e500\",\"LogonError\":\"None\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"Unknown\",\"UserKey\":\"Not Available\",\"UserType\":5,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectoryStsLogon", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "UserLoggedIn", - "id": "e5e2c41a-55ea-4681-9d64-78ddd7145bd2", - "type": [ - "info", - "start", - "authentication_success" - ], - "category": [ - "web", - "authentication" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "Unknown" }, "user_agent": { + "device": { + "name": "Mac" + }, "name": "Firefox", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "os": { + "full": "Mac OS X 10.14", "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" + "version": "10.14" }, "version": "72.0." } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-07T16:43:40.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "UserLoggedIn", + "category": [ + "web", + "authentication" + ], + "code": "AzureActiveDirectoryStsLogon", + "id": "2a23206a-2f5d-4cb7-aeb8-f285d10e6f80", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-07T16:43:40\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"2a23206a-2f5d-4cb7-aeb8-f285d10e6f80\",\"InterSystemsId\":\"6bab76a8-98bd-42e4-b722-a31fe81b030a\",\"IntraSystemId\":\"c3ebcde8-62f6-4cc4-8e0c-c11c08e76100\",\"ModifiedProperties\":[],\"ObjectId\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info", + "start", + "authentication_success" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "5f09333a-842c-47da-a157-57da27fcbca5", - "ResultStatus": "Succeeded", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.15", + "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-07T16:43:40", "ExtendedProperties": { "KeepMeSignedIn": "True", + "RequestType": "OAuth2:Authorize", "ResultStatusDetail": "Redirect", - "UserAuthenticationMethod": "9", - "RequestType": "OAuth2:Authorize" + "UserAuthenticationMethod": "9" }, + "InterSystemsId": "6bab76a8-98bd-42e4-b722-a31fe81b030a", "IntraSystemId": "c3ebcde8-62f6-4cc4-8e0c-c11c08e76100", + "ModifiedProperties": {}, + "ObjectId": "5f09333a-842c-47da-a157-57da27fcbca5", + "RecordType": "15", + "ResultStatus": "Succeeded", + "SupportTicketId": "", "Target": [ { - "Type": 0, - "ID": "5f09333a-842c-47da-a157-57da27fcbca5" + "ID": "5f09333a-842c-47da-a157-57da27fcbca5", + "Type": 0 } ], - "RecordType": "15", - "ModifiedProperties": {}, - "Version": "1", - "SupportTicketId": "", "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ - { - "Type": 0, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" - }, - { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" - }, - { - "Type": 3, - "ID": "1003200096971F55" - } - ], - "CreationTime": "2020-02-07T16:43:40", - "InterSystemsId": "6bab76a8-98bd-42e4-b722-a31fe81b030a", - "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-07T16:43:40.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:48:58.934184095Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-07T16:43:40\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"2a23206a-2f5d-4cb7-aeb8-f285d10e6f80\",\"InterSystemsId\":\"6bab76a8-98bd-42e4-b722-a31fe81b030a\",\"IntraSystemId\":\"c3ebcde8-62f6-4cc4-8e0c-c11c08e76100\",\"ModifiedProperties\":[],\"ObjectId\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectoryStsLogon", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "UserLoggedIn", - "id": "2a23206a-2f5d-4cb7-aeb8-f285d10e6f80", - "type": [ - "info", - "start", - "authentication_success" - ], - "category": [ - "web", - "authentication" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", + "domain": "testsiem.onmicrosoft.com", "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr" }, "user_agent": { + "device": { + "name": "Mac" + }, "name": "Firefox", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "os": { + "full": "Mac OS X 10.14", "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" + "version": "10.14" }, "version": "72.0." } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-09T15:30:58.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "UserLoggedIn", + "category": [ + "web", + "authentication" + ], + "code": "AzureActiveDirectoryStsLogon", + "id": "c0a0d198-825b-4e39-b868-0a7b0552b209", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"Unknown\",\"Type\":0}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:30:58\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Logout\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"}],\"Id\":\"c0a0d198-825b-4e39-b868-0a7b0552b209\",\"InterSystemsId\":\"6fee997e-1b2a-4a95-a8be-ea85642ed652\",\"IntraSystemId\":\"8b270c82-1240-4a0a-ac15-1e1116261400\",\"LogonError\":\"None\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"Unknown\",\"UserKey\":\"Not Available\",\"UserType\":5,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info", + "start", + "authentication_success" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "Unknown", - "ResultStatus": "Succeeded", - "UserKey": "Not Available", + "Actor": [ + { + "ID": "Unknown", + "Type": 0 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.15", + "ApplicationId": "", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-09T15:30:58", "ExtendedProperties": { - "ResultStatusDetail": "Success", - "RequestType": "OAuth2:Logout" + "RequestType": "OAuth2:Logout", + "ResultStatusDetail": "Success" }, + "InterSystemsId": "6fee997e-1b2a-4a95-a8be-ea85642ed652", "IntraSystemId": "8b270c82-1240-4a0a-ac15-1e1116261400", + "LogonError": "None", + "ModifiedProperties": {}, + "ObjectId": "Unknown", + "RecordType": "15", + "ResultStatus": "Succeeded", + "SupportTicketId": "", "Target": [ { - "Type": 0, - "ID": "Unknown" + "ID": "Unknown", + "Type": 0 } ], - "RecordType": "15", - "ModifiedProperties": {}, - "Version": "1", - "SupportTicketId": "", "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "Unknown", - "Actor": [ - { - "Type": 0, - "ID": "Unknown" - } - ], - "LogonError": "None", - "CreationTime": "2020-02-09T15:30:58", - "InterSystemsId": "6fee997e-1b2a-4a95-a8be-ea85642ed652", - "ApplicationId": "", + "UserKey": "Not Available", "UserType": "5", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-09T15:30:58.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.15" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:48:58.934185148Z", - "original": "{\"Actor\":[{\"ID\":\"Unknown\",\"Type\":0}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:30:58\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Logout\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"}],\"Id\":\"c0a0d198-825b-4e39-b868-0a7b0552b209\",\"InterSystemsId\":\"6fee997e-1b2a-4a95-a8be-ea85642ed652\",\"IntraSystemId\":\"8b270c82-1240-4a0a-ac15-1e1116261400\",\"LogonError\":\"None\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"Unknown\",\"UserKey\":\"Not Available\",\"UserType\":5,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectoryStsLogon", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "UserLoggedIn", - "id": "c0a0d198-825b-4e39-b868-0a7b0552b209", - "type": [ - "info", - "start", - "authentication_success" - ], - "category": [ - "web", - "authentication" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "Unknown" }, "user_agent": { + "device": { + "name": "Mac" + }, "name": "Firefox", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "os": { + "full": "Mac OS X 10.14", "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" + "version": "10.14" }, "version": "72.0." } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-09T15:31:33.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "UserLoginFailed", + "category": [ + "web", + "authentication" + ], + "code": "AzureActiveDirectoryStsLogon", + "id": "52b07191-3887-40fb-a001-f4122b0851d1", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:31:33\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"FlowTokenScenario\",\"Value\":\"Login\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"1\"},{\"Name\":\"RequestType\",\"Value\":\"Login:login\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"}],\"Id\":\"52b07191-3887-40fb-a001-f4122b0851d1\",\"InterSystemsId\":\"6fee997e-1b2a-4a95-a8be-ea85642ed652\",\"IntraSystemId\":\"b0faaf7a-913e-4a93-8ccc-ecfaa2b42400\",\"LogonError\":\"UserStrongAuthClientAuthNRequiredInterrupt\",\"ModifiedProperties\":[],\"ObjectId\":\"797f4846-ba00-4fd7-ba43-dac1f8f63013\",\"Operation\":\"UserLoginFailed\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Failed\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"797f4846-ba00-4fd7-ba43-dac1f8f63013\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "failure", + "provider": "AzureActiveDirectory", + "type": [ + "info", + "start", + "authentication_failure" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", - "ResultStatus": "Failed", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.15", + "ApplicationId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-09T15:31:33", "ExtendedProperties": { - "ResultStatusDetail": "Success", - "UserAuthenticationMethod": "1", "FlowTokenScenario": "Login", - "RequestType": "Login:login" + "RequestType": "Login:login", + "ResultStatusDetail": "Success", + "UserAuthenticationMethod": "1" }, + "InterSystemsId": "6fee997e-1b2a-4a95-a8be-ea85642ed652", "IntraSystemId": "b0faaf7a-913e-4a93-8ccc-ecfaa2b42400", + "LogonError": "UserStrongAuthClientAuthNRequiredInterrupt", + "ModifiedProperties": {}, + "ObjectId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", + "RecordType": "15", + "ResultStatus": "Failed", + "SupportTicketId": "", "Target": [ { - "Type": 0, - "ID": "797f4846-ba00-4fd7-ba43-dac1f8f63013" + "ID": "797f4846-ba00-4fd7-ba43-dac1f8f63013", + "Type": 0 } ], - "RecordType": "15", - "ModifiedProperties": {}, - "Version": "1", - "SupportTicketId": "", "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ - { - "Type": 0, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" - }, - { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" - }, - { - "Type": 3, - "ID": "1003200096971F55" - } - ], - "LogonError": "UserStrongAuthClientAuthNRequiredInterrupt", - "CreationTime": "2020-02-09T15:31:33", - "InterSystemsId": "6fee997e-1b2a-4a95-a8be-ea85642ed652", - "ApplicationId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-09T15:31:33.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:48:58.934186290Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:31:33\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"FlowTokenScenario\",\"Value\":\"Login\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"1\"},{\"Name\":\"RequestType\",\"Value\":\"Login:login\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"}],\"Id\":\"52b07191-3887-40fb-a001-f4122b0851d1\",\"InterSystemsId\":\"6fee997e-1b2a-4a95-a8be-ea85642ed652\",\"IntraSystemId\":\"b0faaf7a-913e-4a93-8ccc-ecfaa2b42400\",\"LogonError\":\"UserStrongAuthClientAuthNRequiredInterrupt\",\"ModifiedProperties\":[],\"ObjectId\":\"797f4846-ba00-4fd7-ba43-dac1f8f63013\",\"Operation\":\"UserLoginFailed\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Failed\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"797f4846-ba00-4fd7-ba43-dac1f8f63013\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectoryStsLogon", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "UserLoginFailed", - "id": "52b07191-3887-40fb-a001-f4122b0851d1", - "type": [ - "info", - "start", - "authentication_failure" - ], - "category": [ - "web", - "authentication" - ], - "outcome": "failure" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", + "domain": "testsiem.onmicrosoft.com", "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr" }, "user_agent": { + "device": { + "name": "Mac" + }, "name": "Firefox", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "os": { + "full": "Mac OS X 10.14", "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" + "version": "10.14" }, "version": "72.0." } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-10T15:14:25.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "UserLoggedIn", + "category": [ + "web", + "authentication" + ], + "code": "AzureActiveDirectoryStsLogon", + "id": "c62fa78d-daab-494e-a638-8321ebd71b9e", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"Unknown\",\"Type\":0}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:14:25\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Logout\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"}],\"Id\":\"c62fa78d-daab-494e-a638-8321ebd71b9e\",\"InterSystemsId\":\"6fee997e-1b2a-4a95-a8be-ea85642ed652\",\"IntraSystemId\":\"d949d6c2-472e-4901-bd70-96cbfe534c00\",\"LogonError\":\"None\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"Unknown\",\"UserKey\":\"Not Available\",\"UserType\":5,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info", + "start", + "authentication_success" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "Unknown", - "ResultStatus": "Succeeded", - "UserKey": "Not Available", + "Actor": [ + { + "ID": "Unknown", + "Type": 0 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.15", + "ApplicationId": "", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-10T15:14:25", "ExtendedProperties": { - "ResultStatusDetail": "Success", - "RequestType": "OAuth2:Logout" + "RequestType": "OAuth2:Logout", + "ResultStatusDetail": "Success" }, + "InterSystemsId": "6fee997e-1b2a-4a95-a8be-ea85642ed652", "IntraSystemId": "d949d6c2-472e-4901-bd70-96cbfe534c00", + "LogonError": "None", + "ModifiedProperties": {}, + "ObjectId": "Unknown", + "RecordType": "15", + "ResultStatus": "Succeeded", + "SupportTicketId": "", "Target": [ { - "Type": 0, - "ID": "Unknown" + "ID": "Unknown", + "Type": 0 } ], - "RecordType": "15", - "ModifiedProperties": {}, - "Version": "1", - "SupportTicketId": "", "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "Unknown", - "Actor": [ - { - "Type": 0, - "ID": "Unknown" - } - ], - "LogonError": "None", - "CreationTime": "2020-02-10T15:14:25", - "InterSystemsId": "6fee997e-1b2a-4a95-a8be-ea85642ed652", - "ApplicationId": "", + "UserKey": "Not Available", "UserType": "5", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-10T15:14:25.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.15" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "source": { + "ip": "67.43.156.15" }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "tags": [ + "preserve_original_event" + ], + "user": { + "id": "Unknown" }, + "user_agent": { + "device": { + "name": "Mac" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "os": { + "full": "Mac OS X 10.14", + "name": "Mac OS X", + "version": "10.14" + }, + "version": "72.0." + } + }, + { + "@timestamp": "2020-02-10T15:14:51.000Z", "client": { "address": "67.43.156.15", "ip": "67.43.156.15" }, + "ecs": { + "version": "8.0.0" + }, "event": { - "ingested": "2022-01-02T03:48:58.934187366Z", - "original": "{\"Actor\":[{\"ID\":\"Unknown\",\"Type\":0}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:14:25\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Logout\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"}],\"Id\":\"c62fa78d-daab-494e-a638-8321ebd71b9e\",\"InterSystemsId\":\"6fee997e-1b2a-4a95-a8be-ea85642ed652\",\"IntraSystemId\":\"d949d6c2-472e-4901-bd70-96cbfe534c00\",\"LogonError\":\"None\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"Unknown\",\"UserKey\":\"Not Available\",\"UserType\":5,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectoryStsLogon", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "UserLoggedIn", - "id": "c62fa78d-daab-494e-a638-8321ebd71b9e", - "type": [ - "info", - "start", - "authentication_success" - ], + "action": "UserLoginFailed", "category": [ "web", "authentication" ], - "outcome": "success" - }, - "user": { - "id": "Unknown" + "code": "AzureActiveDirectoryStsLogon", + "id": "73c76212-8120-4e21-a383-c80d8327b606", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:14:51\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"FlowTokenScenario\",\"Value\":\"Login\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"1\"},{\"Name\":\"RequestType\",\"Value\":\"Login:login\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"}],\"Id\":\"73c76212-8120-4e21-a383-c80d8327b606\",\"InterSystemsId\":\"6fee997e-1b2a-4a95-a8be-ea85642ed652\",\"IntraSystemId\":\"42c7ec91-1e2f-4505-b728-3a165b244f00\",\"LogonError\":\"UserStrongAuthClientAuthNRequiredInterrupt\",\"ModifiedProperties\":[],\"ObjectId\":\"797f4846-ba00-4fd7-ba43-dac1f8f63013\",\"Operation\":\"UserLoginFailed\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Failed\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"797f4846-ba00-4fd7-ba43-dac1f8f63013\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "failure", + "provider": "AzureActiveDirectory", + "type": [ + "info", + "start", + "authentication_failure" + ] }, - "user_agent": { - "name": "Firefox", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", - "os": { - "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" - }, - "version": "72.0." - } - }, - { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, - "ip": "67.43.156.15" + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, - "tags": [ - "preserve_original_event" - ], "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", - "ResultStatus": "Failed", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.15", + "ApplicationId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-10T15:14:51", "ExtendedProperties": { - "ResultStatusDetail": "Success", - "UserAuthenticationMethod": "1", "FlowTokenScenario": "Login", - "RequestType": "Login:login" + "RequestType": "Login:login", + "ResultStatusDetail": "Success", + "UserAuthenticationMethod": "1" }, + "InterSystemsId": "6fee997e-1b2a-4a95-a8be-ea85642ed652", "IntraSystemId": "42c7ec91-1e2f-4505-b728-3a165b244f00", + "LogonError": "UserStrongAuthClientAuthNRequiredInterrupt", + "ModifiedProperties": {}, + "ObjectId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", + "RecordType": "15", + "ResultStatus": "Failed", + "SupportTicketId": "", "Target": [ { - "Type": 0, - "ID": "797f4846-ba00-4fd7-ba43-dac1f8f63013" + "ID": "797f4846-ba00-4fd7-ba43-dac1f8f63013", + "Type": 0 } ], - "RecordType": "15", - "ModifiedProperties": {}, - "Version": "1", - "SupportTicketId": "", "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ - { - "Type": 0, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" - }, - { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" - }, - { - "Type": 3, - "ID": "1003200096971F55" - } - ], - "LogonError": "UserStrongAuthClientAuthNRequiredInterrupt", - "CreationTime": "2020-02-10T15:14:51", - "InterSystemsId": "6fee997e-1b2a-4a95-a8be-ea85642ed652", - "ApplicationId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-10T15:14:51.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:48:58.934188399Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:14:51\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"FlowTokenScenario\",\"Value\":\"Login\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"1\"},{\"Name\":\"RequestType\",\"Value\":\"Login:login\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"}],\"Id\":\"73c76212-8120-4e21-a383-c80d8327b606\",\"InterSystemsId\":\"6fee997e-1b2a-4a95-a8be-ea85642ed652\",\"IntraSystemId\":\"42c7ec91-1e2f-4505-b728-3a165b244f00\",\"LogonError\":\"UserStrongAuthClientAuthNRequiredInterrupt\",\"ModifiedProperties\":[],\"ObjectId\":\"797f4846-ba00-4fd7-ba43-dac1f8f63013\",\"Operation\":\"UserLoginFailed\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Failed\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"797f4846-ba00-4fd7-ba43-dac1f8f63013\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectoryStsLogon", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "UserLoginFailed", - "id": "73c76212-8120-4e21-a383-c80d8327b606", - "type": [ - "info", - "start", - "authentication_failure" - ], - "category": [ - "web", - "authentication" - ], - "outcome": "failure" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", + "domain": "testsiem.onmicrosoft.com", "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr" }, "user_agent": { + "device": { + "name": "Mac" + }, "name": "Firefox", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "os": { + "full": "Mac OS X 10.14", "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" + "version": "10.14" }, "version": "72.0." } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-10T15:29:56.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "UserLoggedIn", + "category": [ + "web", + "authentication" + ], + "code": "AzureActiveDirectoryStsLogon", + "id": "29f94716-3717-4671-962e-9c739b764f07", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:29:56\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"29f94716-3717-4671-962e-9c739b764f07\",\"InterSystemsId\":\"6fee997e-1b2a-4a95-a8be-ea85642ed652\",\"IntraSystemId\":\"8b8e8663-8a8c-4959-a692-e3eece085300\",\"ModifiedProperties\":[],\"ObjectId\":\"797f4846-ba00-4fd7-ba43-dac1f8f63013\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"797f4846-ba00-4fd7-ba43-dac1f8f63013\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info", + "start", + "authentication_success" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", - "ResultStatus": "Succeeded", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.15", + "ApplicationId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-10T15:29:56", "ExtendedProperties": { "KeepMeSignedIn": "False", + "RequestType": "OAuth2:Authorize", "ResultStatusDetail": "Success", - "UserAuthenticationMethod": "9", - "RequestType": "OAuth2:Authorize" + "UserAuthenticationMethod": "9" }, + "InterSystemsId": "6fee997e-1b2a-4a95-a8be-ea85642ed652", "IntraSystemId": "8b8e8663-8a8c-4959-a692-e3eece085300", + "ModifiedProperties": {}, + "ObjectId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", + "RecordType": "15", + "ResultStatus": "Succeeded", + "SupportTicketId": "", "Target": [ { - "Type": 0, - "ID": "797f4846-ba00-4fd7-ba43-dac1f8f63013" + "ID": "797f4846-ba00-4fd7-ba43-dac1f8f63013", + "Type": 0 } ], - "RecordType": "15", - "ModifiedProperties": {}, - "Version": "1", - "SupportTicketId": "", "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ - { - "Type": 0, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" - }, - { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" - }, - { - "Type": 3, - "ID": "1003200096971F55" - } - ], - "CreationTime": "2020-02-10T15:29:56", - "InterSystemsId": "6fee997e-1b2a-4a95-a8be-ea85642ed652", - "ApplicationId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-10T15:29:56.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:48:58.934189434Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:29:56\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"29f94716-3717-4671-962e-9c739b764f07\",\"InterSystemsId\":\"6fee997e-1b2a-4a95-a8be-ea85642ed652\",\"IntraSystemId\":\"8b8e8663-8a8c-4959-a692-e3eece085300\",\"ModifiedProperties\":[],\"ObjectId\":\"797f4846-ba00-4fd7-ba43-dac1f8f63013\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"797f4846-ba00-4fd7-ba43-dac1f8f63013\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectoryStsLogon", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "UserLoggedIn", - "id": "29f94716-3717-4671-962e-9c739b764f07", - "type": [ - "info", - "start", - "authentication_success" - ], - "category": [ - "web", - "authentication" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", + "domain": "testsiem.onmicrosoft.com", "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr" }, "user_agent": { + "device": { + "name": "Mac" + }, "name": "Firefox", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "os": { + "full": "Mac OS X 10.14", "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" + "version": "10.14" }, "version": "72.0." } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-11T16:51:23.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], - "network": { - "type": "ipv4" + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "UserLoggedIn", + "category": [ + "web", + "authentication" + ], + "code": "AzureActiveDirectoryStsLogon", + "id": "17d02385-1e30-45b7-949c-4d3dd549a0e7", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:51:23\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"17d02385-1e30-45b7-949c-4d3dd549a0e7\",\"InterSystemsId\":\"6fee997e-1b2a-4a95-a8be-ea85642ed652\",\"IntraSystemId\":\"361dd87e-3bc9-4f0a-b236-ed7365e28d00\",\"ModifiedProperties\":[],\"ObjectId\":\"797f4846-ba00-4fd7-ba43-dac1f8f63013\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"797f4846-ba00-4fd7-ba43-dac1f8f63013\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info", + "start", + "authentication_success" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, + "network": { + "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", - "ResultStatus": "Succeeded", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.15", + "ApplicationId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-11T16:51:23", "ExtendedProperties": { "KeepMeSignedIn": "False", + "RequestType": "OAuth2:Authorize", "ResultStatusDetail": "Success", - "UserAuthenticationMethod": "9", - "RequestType": "OAuth2:Authorize" + "UserAuthenticationMethod": "9" }, + "InterSystemsId": "6fee997e-1b2a-4a95-a8be-ea85642ed652", "IntraSystemId": "361dd87e-3bc9-4f0a-b236-ed7365e28d00", + "ModifiedProperties": {}, + "ObjectId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", + "RecordType": "15", + "ResultStatus": "Succeeded", + "SupportTicketId": "", "Target": [ { - "Type": 0, - "ID": "797f4846-ba00-4fd7-ba43-dac1f8f63013" + "ID": "797f4846-ba00-4fd7-ba43-dac1f8f63013", + "Type": 0 } ], - "RecordType": "15", - "ModifiedProperties": {}, - "Version": "1", - "SupportTicketId": "", "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ - { - "Type": 0, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" - }, - { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" - }, - { - "Type": 3, - "ID": "1003200096971F55" - } - ], - "CreationTime": "2020-02-11T16:51:23", - "InterSystemsId": "6fee997e-1b2a-4a95-a8be-ea85642ed652", - "ApplicationId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-11T16:51:23.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:48:58.934190478Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-11T16:51:23\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"17d02385-1e30-45b7-949c-4d3dd549a0e7\",\"InterSystemsId\":\"6fee997e-1b2a-4a95-a8be-ea85642ed652\",\"IntraSystemId\":\"361dd87e-3bc9-4f0a-b236-ed7365e28d00\",\"ModifiedProperties\":[],\"ObjectId\":\"797f4846-ba00-4fd7-ba43-dac1f8f63013\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"797f4846-ba00-4fd7-ba43-dac1f8f63013\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectoryStsLogon", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "UserLoggedIn", - "id": "17d02385-1e30-45b7-949c-4d3dd549a0e7", - "type": [ - "info", - "start", - "authentication_success" - ], - "category": [ - "web", - "authentication" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", + "domain": "testsiem.onmicrosoft.com", "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr" }, "user_agent": { + "device": { + "name": "Mac" + }, "name": "Firefox", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "os": { + "full": "Mac OS X 10.14", "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" + "version": "10.14" }, "version": "72.0." } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-12T21:39:45.000Z", + "client": { + "address": "67.43.156.13", "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "UserLoggedIn", + "category": [ + "web", + "authentication" + ], + "code": "AzureActiveDirectoryStsLogon", + "id": "e3346dd0-ecf6-4676-8765-365c7370b6fe", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"Unknown\",\"Type\":0}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T21:39:45\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Logout\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"}],\"Id\":\"e3346dd0-ecf6-4676-8765-365c7370b6fe\",\"InterSystemsId\":\"6fee997e-1b2a-4a95-a8be-ea85642ed652\",\"IntraSystemId\":\"32b4cec1-00eb-44ea-be73-adc82387db00\",\"LogonError\":\"None\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"Unknown\",\"UserKey\":\"Not Available\",\"UserType\":5,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info", + "start", + "authentication_success" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "Unknown", - "ResultStatus": "Succeeded", - "UserKey": "Not Available", + "Actor": [ + { + "ID": "Unknown", + "Type": 0 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.13", + "ApplicationId": "", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-12T21:39:45", "ExtendedProperties": { - "ResultStatusDetail": "Success", - "RequestType": "OAuth2:Logout" + "RequestType": "OAuth2:Logout", + "ResultStatusDetail": "Success" }, + "InterSystemsId": "6fee997e-1b2a-4a95-a8be-ea85642ed652", "IntraSystemId": "32b4cec1-00eb-44ea-be73-adc82387db00", + "LogonError": "None", + "ModifiedProperties": {}, + "ObjectId": "Unknown", + "RecordType": "15", + "ResultStatus": "Succeeded", + "SupportTicketId": "", "Target": [ { - "Type": 0, - "ID": "Unknown" + "ID": "Unknown", + "Type": 0 } ], - "RecordType": "15", - "ModifiedProperties": {}, - "Version": "1", - "SupportTicketId": "", "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "Unknown", - "Actor": [ - { - "Type": 0, - "ID": "Unknown" - } - ], - "LogonError": "None", - "CreationTime": "2020-02-12T21:39:45", - "InterSystemsId": "6fee997e-1b2a-4a95-a8be-ea85642ed652", - "ApplicationId": "", + "UserKey": "Not Available", "UserType": "5", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-12T21:39:45.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.13", + "source": { "ip": "67.43.156.13" }, - "event": { - "ingested": "2022-01-02T03:48:58.934191530Z", - "original": "{\"Actor\":[{\"ID\":\"Unknown\",\"Type\":0}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T21:39:45\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Logout\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"}],\"Id\":\"e3346dd0-ecf6-4676-8765-365c7370b6fe\",\"InterSystemsId\":\"6fee997e-1b2a-4a95-a8be-ea85642ed652\",\"IntraSystemId\":\"32b4cec1-00eb-44ea-be73-adc82387db00\",\"LogonError\":\"None\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"Unknown\",\"UserKey\":\"Not Available\",\"UserType\":5,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectoryStsLogon", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "UserLoggedIn", - "id": "e3346dd0-ecf6-4676-8765-365c7370b6fe", - "type": [ - "info", - "start", - "authentication_success" - ], - "category": [ - "web", - "authentication" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "Unknown" }, "user_agent": { + "device": { + "name": "Mac" + }, "name": "Firefox", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "os": { + "full": "Mac OS X 10.14", "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" + "version": "10.14" }, "version": "72.0." } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-12T21:40:16.000Z", + "client": { + "address": "67.43.156.13", "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "UserLoginFailed", + "category": [ + "web", + "authentication" + ], + "code": "AzureActiveDirectoryStsLogon", + "id": "a772fd76-847f-4703-90f1-37eb81c9f392", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T21:40:16\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"FlowTokenScenario\",\"Value\":\"Login\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"1\"},{\"Name\":\"RequestType\",\"Value\":\"Login:login\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"}],\"Id\":\"a772fd76-847f-4703-90f1-37eb81c9f392\",\"InterSystemsId\":\"6fee997e-1b2a-4a95-a8be-ea85642ed652\",\"IntraSystemId\":\"a063e495-5883-4837-8186-582817fdd500\",\"LogonError\":\"UserStrongAuthClientAuthNRequiredInterrupt\",\"ModifiedProperties\":[],\"ObjectId\":\"797f4846-ba00-4fd7-ba43-dac1f8f63013\",\"Operation\":\"UserLoginFailed\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Failed\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"797f4846-ba00-4fd7-ba43-dac1f8f63013\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "failure", + "provider": "AzureActiveDirectory", + "type": [ + "info", + "start", + "authentication_failure" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", - "ResultStatus": "Failed", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "67.43.156.13", - "ExtendedProperties": { - "ResultStatusDetail": "Success", - "UserAuthenticationMethod": "1", - "FlowTokenScenario": "Login", - "RequestType": "Login:login" - }, - "IntraSystemId": "a063e495-5883-4837-8186-582817fdd500", - "Target": [ - { - "Type": 0, - "ID": "797f4846-ba00-4fd7-ba43-dac1f8f63013" - } - ], - "RecordType": "15", - "ModifiedProperties": {}, - "Version": "1", - "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", "Actor": [ { - "Type": 0, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 }, { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 }, { - "Type": 3, - "ID": "1003200096971F55" + "ID": "1003200096971F55", + "Type": 3 } ], - "LogonError": "UserStrongAuthClientAuthNRequiredInterrupt", - "CreationTime": "2020-02-12T21:40:16", - "InterSystemsId": "6fee997e-1b2a-4a95-a8be-ea85642ed652", + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "ActorIpAddress": "67.43.156.13", "ApplicationId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-12T21:40:16", + "ExtendedProperties": { + "FlowTokenScenario": "Login", + "RequestType": "Login:login", + "ResultStatusDetail": "Success", + "UserAuthenticationMethod": "1" + }, + "InterSystemsId": "6fee997e-1b2a-4a95-a8be-ea85642ed652", + "IntraSystemId": "a063e495-5883-4837-8186-582817fdd500", + "LogonError": "UserStrongAuthClientAuthNRequiredInterrupt", + "ModifiedProperties": {}, + "ObjectId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", + "RecordType": "15", + "ResultStatus": "Failed", + "SupportTicketId": "", + "Target": [ + { + "ID": "797f4846-ba00-4fd7-ba43-dac1f8f63013", + "Type": 0 + } + ], + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-12T21:40:16.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.13" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.13", + "source": { "ip": "67.43.156.13" }, - "event": { - "ingested": "2022-01-02T03:48:58.934192568Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T21:40:16\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"FlowTokenScenario\",\"Value\":\"Login\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"1\"},{\"Name\":\"RequestType\",\"Value\":\"Login:login\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"}],\"Id\":\"a772fd76-847f-4703-90f1-37eb81c9f392\",\"InterSystemsId\":\"6fee997e-1b2a-4a95-a8be-ea85642ed652\",\"IntraSystemId\":\"a063e495-5883-4837-8186-582817fdd500\",\"LogonError\":\"UserStrongAuthClientAuthNRequiredInterrupt\",\"ModifiedProperties\":[],\"ObjectId\":\"797f4846-ba00-4fd7-ba43-dac1f8f63013\",\"Operation\":\"UserLoginFailed\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Failed\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"797f4846-ba00-4fd7-ba43-dac1f8f63013\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectoryStsLogon", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "UserLoginFailed", - "id": "a772fd76-847f-4703-90f1-37eb81c9f392", - "type": [ - "info", - "start", - "authentication_failure" - ], - "category": [ - "web", - "authentication" - ], - "outcome": "failure" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", + "domain": "testsiem.onmicrosoft.com", "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr" }, "user_agent": { + "device": { + "name": "Mac" + }, "name": "Firefox", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "os": { + "full": "Mac OS X 10.14", "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" + "version": "10.14" }, "version": "72.0." } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-08T14:33:52.000Z", + "client": { + "address": "67.43.156.14", "ip": "67.43.156.14" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "UserLoggedIn", + "category": [ + "web", + "authentication" + ], + "code": "AzureActiveDirectoryStsLogon", + "id": "487e4f43-53db-4d6f-a314-5355746d4853", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.14\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.14\",\"CreationTime\":\"2020-02-08T14:33:52\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"487e4f43-53db-4d6f-a314-5355746d4853\",\"InterSystemsId\":\"7766ac63-ae7f-43e6-868a-a5422a96fd8b\",\"IntraSystemId\":\"adc9d69c-8ae6-41c7-b685-331453060a00\",\"ModifiedProperties\":[],\"ObjectId\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info", + "start", + "authentication_success" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "5f09333a-842c-47da-a157-57da27fcbca5", - "ResultStatus": "Succeeded", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.14", + "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-08T14:33:52", "ExtendedProperties": { "KeepMeSignedIn": "True", + "RequestType": "OAuth2:Authorize", "ResultStatusDetail": "Redirect", - "UserAuthenticationMethod": "9", - "RequestType": "OAuth2:Authorize" + "UserAuthenticationMethod": "9" }, + "InterSystemsId": "7766ac63-ae7f-43e6-868a-a5422a96fd8b", "IntraSystemId": "adc9d69c-8ae6-41c7-b685-331453060a00", + "ModifiedProperties": {}, + "ObjectId": "5f09333a-842c-47da-a157-57da27fcbca5", + "RecordType": "15", + "ResultStatus": "Succeeded", + "SupportTicketId": "", "Target": [ { - "Type": 0, - "ID": "5f09333a-842c-47da-a157-57da27fcbca5" + "ID": "5f09333a-842c-47da-a157-57da27fcbca5", + "Type": 0 } ], - "RecordType": "15", - "ModifiedProperties": {}, - "Version": "1", - "SupportTicketId": "", "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ - { - "Type": 0, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" - }, - { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" - }, - { - "Type": 3, - "ID": "1003200096971F55" - } - ], - "CreationTime": "2020-02-08T14:33:52", - "InterSystemsId": "7766ac63-ae7f-43e6-868a-a5422a96fd8b", - "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-08T14:33:52.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.14" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.14", + "source": { "ip": "67.43.156.14" }, - "event": { - "ingested": "2022-01-02T03:48:58.934193615Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.14\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.14\",\"CreationTime\":\"2020-02-08T14:33:52\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"487e4f43-53db-4d6f-a314-5355746d4853\",\"InterSystemsId\":\"7766ac63-ae7f-43e6-868a-a5422a96fd8b\",\"IntraSystemId\":\"adc9d69c-8ae6-41c7-b685-331453060a00\",\"ModifiedProperties\":[],\"ObjectId\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectoryStsLogon", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "UserLoggedIn", - "id": "487e4f43-53db-4d6f-a314-5355746d4853", - "type": [ - "info", - "start", - "authentication_success" - ], - "category": [ - "web", - "authentication" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", + "domain": "testsiem.onmicrosoft.com", "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr" }, "user_agent": { + "device": { + "name": "Mac" + }, "name": "Firefox", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "os": { + "full": "Mac OS X 10.14", "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" + "version": "10.14" }, "version": "72.0." } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-12T10:53:24.000Z", + "client": { + "address": "67.43.156.13", "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "UserLoggedIn", + "category": [ + "web", + "authentication" + ], + "code": "AzureActiveDirectoryStsLogon", + "id": "41f6b2dc-4db6-444c-93d9-829a842b87e2", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T10:53:24\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"41f6b2dc-4db6-444c-93d9-829a842b87e2\",\"InterSystemsId\":\"781c1055-e731-48ee-a806-c3f39ba160e3\",\"IntraSystemId\":\"e7fe21ea-ec03-46dd-b272-0a72ebbeac00\",\"ModifiedProperties\":[],\"ObjectId\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info", + "start", + "authentication_success" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "5f09333a-842c-47da-a157-57da27fcbca5", - "ResultStatus": "Succeeded", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.13", + "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-12T10:53:24", "ExtendedProperties": { "KeepMeSignedIn": "False", + "RequestType": "OAuth2:Authorize", "ResultStatusDetail": "Redirect", - "UserAuthenticationMethod": "9", - "RequestType": "OAuth2:Authorize" + "UserAuthenticationMethod": "9" }, + "InterSystemsId": "781c1055-e731-48ee-a806-c3f39ba160e3", "IntraSystemId": "e7fe21ea-ec03-46dd-b272-0a72ebbeac00", + "ModifiedProperties": {}, + "ObjectId": "5f09333a-842c-47da-a157-57da27fcbca5", + "RecordType": "15", + "ResultStatus": "Succeeded", + "SupportTicketId": "", "Target": [ { - "Type": 0, - "ID": "5f09333a-842c-47da-a157-57da27fcbca5" + "ID": "5f09333a-842c-47da-a157-57da27fcbca5", + "Type": 0 } ], - "RecordType": "15", - "ModifiedProperties": {}, - "Version": "1", - "SupportTicketId": "", "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ - { - "Type": 0, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" - }, - { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" - }, - { - "Type": 3, - "ID": "1003200096971F55" - } - ], - "CreationTime": "2020-02-12T10:53:24", - "InterSystemsId": "781c1055-e731-48ee-a806-c3f39ba160e3", - "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-12T10:53:24.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.13" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.13", + "source": { "ip": "67.43.156.13" }, - "event": { - "ingested": "2022-01-02T03:48:58.934194754Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T10:53:24\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"41f6b2dc-4db6-444c-93d9-829a842b87e2\",\"InterSystemsId\":\"781c1055-e731-48ee-a806-c3f39ba160e3\",\"IntraSystemId\":\"e7fe21ea-ec03-46dd-b272-0a72ebbeac00\",\"ModifiedProperties\":[],\"ObjectId\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectoryStsLogon", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "UserLoggedIn", - "id": "41f6b2dc-4db6-444c-93d9-829a842b87e2", - "type": [ - "info", - "start", - "authentication_success" - ], - "category": [ - "web", - "authentication" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", + "domain": "testsiem.onmicrosoft.com", "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr" }, "user_agent": { + "device": { + "name": "Mac" + }, "name": "Firefox", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "os": { + "full": "Mac OS X 10.14", "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" + "version": "10.14" }, "version": "72.0." } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-07T16:43:22.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "UserLoggedIn", + "category": [ + "web", + "authentication" + ], + "code": "AzureActiveDirectoryStsLogon", + "id": "ec9fa29b-6201-456d-b228-ca1759e0bf6c", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"00000002-0000-0ff1-ce00-000000000000\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-07T16:43:22\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"ec9fa29b-6201-456d-b228-ca1759e0bf6c\",\"InterSystemsId\":\"82b07417-7b33-4531-952f-d3f719e2356a\",\"IntraSystemId\":\"280b3410-9d51-4ce3-952d-5bba0bea6600\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0ff1-ce00-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0ff1-ce00-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info", + "start", + "authentication_success" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "00000002-0000-0ff1-ce00-000000000000", - "ResultStatus": "Succeeded", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.15", + "ApplicationId": "00000002-0000-0ff1-ce00-000000000000", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-07T16:43:22", "ExtendedProperties": { "KeepMeSignedIn": "True", + "RequestType": "OAuth2:Authorize", "ResultStatusDetail": "Success", - "UserAuthenticationMethod": "9", - "RequestType": "OAuth2:Authorize" + "UserAuthenticationMethod": "9" }, + "InterSystemsId": "82b07417-7b33-4531-952f-d3f719e2356a", "IntraSystemId": "280b3410-9d51-4ce3-952d-5bba0bea6600", + "ModifiedProperties": {}, + "ObjectId": "00000002-0000-0ff1-ce00-000000000000", + "RecordType": "15", + "ResultStatus": "Succeeded", + "SupportTicketId": "", "Target": [ { - "Type": 0, - "ID": "00000002-0000-0ff1-ce00-000000000000" + "ID": "00000002-0000-0ff1-ce00-000000000000", + "Type": 0 } ], - "RecordType": "15", - "ModifiedProperties": {}, - "Version": "1", - "SupportTicketId": "", "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ - { - "Type": 0, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" - }, - { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" - }, - { - "Type": 3, - "ID": "1003200096971F55" - } - ], - "CreationTime": "2020-02-07T16:43:22", - "InterSystemsId": "82b07417-7b33-4531-952f-d3f719e2356a", - "ApplicationId": "00000002-0000-0ff1-ce00-000000000000", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-07T16:43:22.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:48:58.934195835Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"00000002-0000-0ff1-ce00-000000000000\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-07T16:43:22\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"ec9fa29b-6201-456d-b228-ca1759e0bf6c\",\"InterSystemsId\":\"82b07417-7b33-4531-952f-d3f719e2356a\",\"IntraSystemId\":\"280b3410-9d51-4ce3-952d-5bba0bea6600\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0ff1-ce00-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0ff1-ce00-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectoryStsLogon", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "UserLoggedIn", - "id": "ec9fa29b-6201-456d-b228-ca1759e0bf6c", - "type": [ - "info", - "start", - "authentication_success" - ], - "category": [ - "web", - "authentication" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", + "domain": "testsiem.onmicrosoft.com", "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr" }, "user_agent": { + "device": { + "name": "Mac" + }, "name": "Firefox", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "os": { + "full": "Mac OS X 10.14", "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" + "version": "10.14" }, "version": "72.0." } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-06T09:28:04.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "UserLoggedIn", + "category": [ + "web", + "authentication" + ], + "code": "AzureActiveDirectoryStsLogon", + "id": "e988fd90-2eff-4ad7-9f02-030a9d73ad6e", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"Unknown\",\"Type\":0}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-06T09:28:04\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Logout\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"}],\"Id\":\"e988fd90-2eff-4ad7-9f02-030a9d73ad6e\",\"InterSystemsId\":\"8571fe85-eb4a-430d-b468-97900e344923\",\"IntraSystemId\":\"d239e473-6687-4ff9-ac65-0e3c59961600\",\"LogonError\":\"None\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"Unknown\",\"UserKey\":\"Not Available\",\"UserType\":5,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info", + "start", + "authentication_success" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "Unknown", - "ResultStatus": "Succeeded", - "UserKey": "Not Available", + "Actor": [ + { + "ID": "Unknown", + "Type": 0 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.15", + "ApplicationId": "", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-06T09:28:04", "ExtendedProperties": { - "ResultStatusDetail": "Success", - "RequestType": "OAuth2:Logout" + "RequestType": "OAuth2:Logout", + "ResultStatusDetail": "Success" }, + "InterSystemsId": "8571fe85-eb4a-430d-b468-97900e344923", "IntraSystemId": "d239e473-6687-4ff9-ac65-0e3c59961600", + "LogonError": "None", + "ModifiedProperties": {}, + "ObjectId": "Unknown", + "RecordType": "15", + "ResultStatus": "Succeeded", + "SupportTicketId": "", "Target": [ { - "Type": 0, - "ID": "Unknown" + "ID": "Unknown", + "Type": 0 } ], - "RecordType": "15", - "ModifiedProperties": {}, - "Version": "1", - "SupportTicketId": "", "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "Unknown", - "Actor": [ - { - "Type": 0, - "ID": "Unknown" - } - ], - "LogonError": "None", - "CreationTime": "2020-02-06T09:28:04", - "InterSystemsId": "8571fe85-eb4a-430d-b468-97900e344923", - "ApplicationId": "", + "UserKey": "Not Available", "UserType": "5", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-06T09:28:04.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.15" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:48:58.934196872Z", - "original": "{\"Actor\":[{\"ID\":\"Unknown\",\"Type\":0}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-06T09:28:04\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Logout\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"}],\"Id\":\"e988fd90-2eff-4ad7-9f02-030a9d73ad6e\",\"InterSystemsId\":\"8571fe85-eb4a-430d-b468-97900e344923\",\"IntraSystemId\":\"d239e473-6687-4ff9-ac65-0e3c59961600\",\"LogonError\":\"None\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"Unknown\",\"UserKey\":\"Not Available\",\"UserType\":5,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectoryStsLogon", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "UserLoggedIn", - "id": "e988fd90-2eff-4ad7-9f02-030a9d73ad6e", - "type": [ - "info", - "start", - "authentication_success" - ], - "category": [ - "web", - "authentication" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "Unknown" }, "user_agent": { + "device": { + "name": "Mac" + }, "name": "Firefox", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "os": { + "full": "Mac OS X 10.14", "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" + "version": "10.14" }, "version": "72.0." } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, - "ip": "67.43.156.13" + "@timestamp": "2020-02-12T21:38:35.000Z", + "client": { + "address": "67.43.156.13", + "ip": "67.43.156.13" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "UserLoggedIn", + "category": [ + "web", + "authentication" + ], + "code": "AzureActiveDirectoryStsLogon", + "id": "3cbf15a5-84d0-4b0e-ba8e-c3ed43477293", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"00000002-0000-0ff1-ce00-000000000000\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T21:38:35\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"3cbf15a5-84d0-4b0e-ba8e-c3ed43477293\",\"InterSystemsId\":\"8d662bc0-0011-424d-a7dc-56bfc5a142b4\",\"IntraSystemId\":\"d0a4e1ed-206d-4602-aaae-406a02c5c300\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0ff1-ce00-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0ff1-ce00-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info", + "start", + "authentication_success" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, - "tags": [ - "preserve_original_event" - ], "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "00000002-0000-0ff1-ce00-000000000000", - "ResultStatus": "Succeeded", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.13", + "ApplicationId": "00000002-0000-0ff1-ce00-000000000000", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-12T21:38:35", "ExtendedProperties": { "KeepMeSignedIn": "False", + "RequestType": "OAuth2:Authorize", "ResultStatusDetail": "Success", - "UserAuthenticationMethod": "9", - "RequestType": "OAuth2:Authorize" + "UserAuthenticationMethod": "9" }, + "InterSystemsId": "8d662bc0-0011-424d-a7dc-56bfc5a142b4", "IntraSystemId": "d0a4e1ed-206d-4602-aaae-406a02c5c300", + "ModifiedProperties": {}, + "ObjectId": "00000002-0000-0ff1-ce00-000000000000", + "RecordType": "15", + "ResultStatus": "Succeeded", + "SupportTicketId": "", "Target": [ { - "Type": 0, - "ID": "00000002-0000-0ff1-ce00-000000000000" + "ID": "00000002-0000-0ff1-ce00-000000000000", + "Type": 0 } ], - "RecordType": "15", - "ModifiedProperties": {}, - "Version": "1", - "SupportTicketId": "", "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ - { - "Type": 0, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" - }, - { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" - }, - { - "Type": 3, - "ID": "1003200096971F55" - } - ], - "CreationTime": "2020-02-12T21:38:35", - "InterSystemsId": "8d662bc0-0011-424d-a7dc-56bfc5a142b4", - "ApplicationId": "00000002-0000-0ff1-ce00-000000000000", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-12T21:38:35.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.13" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.13", + "source": { "ip": "67.43.156.13" }, - "event": { - "ingested": "2022-01-02T03:48:58.934197894Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"00000002-0000-0ff1-ce00-000000000000\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T21:38:35\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"3cbf15a5-84d0-4b0e-ba8e-c3ed43477293\",\"InterSystemsId\":\"8d662bc0-0011-424d-a7dc-56bfc5a142b4\",\"IntraSystemId\":\"d0a4e1ed-206d-4602-aaae-406a02c5c300\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0ff1-ce00-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0ff1-ce00-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectoryStsLogon", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "UserLoggedIn", - "id": "3cbf15a5-84d0-4b0e-ba8e-c3ed43477293", - "type": [ - "info", - "start", - "authentication_success" - ], - "category": [ - "web", - "authentication" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", + "domain": "testsiem.onmicrosoft.com", "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr" }, "user_agent": { + "device": { + "name": "Mac" + }, "name": "Firefox", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "os": { + "full": "Mac OS X 10.14", "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" + "version": "10.14" }, "version": "72.0." } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-10T15:13:36.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "UserLoggedIn", + "category": [ + "web", + "authentication" + ], + "code": "AzureActiveDirectoryStsLogon", + "id": "d2bb7eae-bc6e-42d2-b270-a885ec626235", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"00000002-0000-0ff1-ce00-000000000000\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:13:36\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"d2bb7eae-bc6e-42d2-b270-a885ec626235\",\"InterSystemsId\":\"9270f20a-56f2-493e-b6a7-a859adcaf626\",\"IntraSystemId\":\"97aa710f-536f-44c8-a8d5-711dc55f5500\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0ff1-ce00-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0ff1-ce00-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info", + "start", + "authentication_success" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "00000002-0000-0ff1-ce00-000000000000", - "ResultStatus": "Succeeded", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.15", + "ApplicationId": "00000002-0000-0ff1-ce00-000000000000", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-10T15:13:36", "ExtendedProperties": { "KeepMeSignedIn": "False", + "RequestType": "OAuth2:Authorize", "ResultStatusDetail": "Success", - "UserAuthenticationMethod": "9", - "RequestType": "OAuth2:Authorize" + "UserAuthenticationMethod": "9" }, + "InterSystemsId": "9270f20a-56f2-493e-b6a7-a859adcaf626", "IntraSystemId": "97aa710f-536f-44c8-a8d5-711dc55f5500", + "ModifiedProperties": {}, + "ObjectId": "00000002-0000-0ff1-ce00-000000000000", + "RecordType": "15", + "ResultStatus": "Succeeded", + "SupportTicketId": "", "Target": [ { - "Type": 0, - "ID": "00000002-0000-0ff1-ce00-000000000000" + "ID": "00000002-0000-0ff1-ce00-000000000000", + "Type": 0 } ], - "RecordType": "15", - "ModifiedProperties": {}, - "Version": "1", - "SupportTicketId": "", "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ - { - "Type": 0, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" - }, - { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" - }, - { - "Type": 3, - "ID": "1003200096971F55" - } - ], - "CreationTime": "2020-02-10T15:13:36", - "InterSystemsId": "9270f20a-56f2-493e-b6a7-a859adcaf626", - "ApplicationId": "00000002-0000-0ff1-ce00-000000000000", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-10T15:13:36.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:48:58.934199028Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"00000002-0000-0ff1-ce00-000000000000\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:13:36\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"d2bb7eae-bc6e-42d2-b270-a885ec626235\",\"InterSystemsId\":\"9270f20a-56f2-493e-b6a7-a859adcaf626\",\"IntraSystemId\":\"97aa710f-536f-44c8-a8d5-711dc55f5500\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0ff1-ce00-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0ff1-ce00-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectoryStsLogon", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "UserLoggedIn", - "id": "d2bb7eae-bc6e-42d2-b270-a885ec626235", - "type": [ - "info", - "start", - "authentication_success" - ], - "category": [ - "web", - "authentication" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", + "domain": "testsiem.onmicrosoft.com", "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr" }, "user_agent": { + "device": { + "name": "Mac" + }, "name": "Firefox", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "os": { + "full": "Mac OS X 10.14", "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" + "version": "10.14" }, "version": "72.0." } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-12T10:51:49.000Z", + "client": { + "address": "67.43.156.13", "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "UserLoggedIn", + "category": [ + "web", + "authentication" + ], + "code": "AzureActiveDirectoryStsLogon", + "id": "03de6d95-b955-451c-8311-473b6853d774", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T10:51:49\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"03de6d95-b955-451c-8311-473b6853d774\",\"InterSystemsId\":\"97c52753-c410-438f-89e2-22741e5ccc6a\",\"IntraSystemId\":\"c9ef5d5f-e3af-4669-b465-921d8b58bd00\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info", + "start", + "authentication_success" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "Unknown", - "ResultStatus": "Succeeded", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.13", + "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-12T10:51:49", "ExtendedProperties": { "KeepMeSignedIn": "False", + "RequestType": "OAuth2:Authorize", "ResultStatusDetail": "Redirect", - "UserAuthenticationMethod": "9", - "RequestType": "OAuth2:Authorize" + "UserAuthenticationMethod": "9" }, + "InterSystemsId": "97c52753-c410-438f-89e2-22741e5ccc6a", "IntraSystemId": "c9ef5d5f-e3af-4669-b465-921d8b58bd00", + "ModifiedProperties": {}, + "ObjectId": "Unknown", + "RecordType": "15", + "ResultStatus": "Succeeded", + "SupportTicketId": "", "Target": [ { - "Type": 0, - "ID": "Unknown" + "ID": "Unknown", + "Type": 0 } ], - "RecordType": "15", - "ModifiedProperties": {}, - "Version": "1", - "SupportTicketId": "", "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ - { - "Type": 0, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" - }, - { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" - }, - { - "Type": 3, - "ID": "1003200096971F55" - } - ], - "CreationTime": "2020-02-12T10:51:49", - "InterSystemsId": "97c52753-c410-438f-89e2-22741e5ccc6a", - "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-12T10:51:49.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.13" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.13", + "source": { "ip": "67.43.156.13" }, - "event": { - "ingested": "2022-01-02T03:48:58.934200210Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T10:51:49\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"03de6d95-b955-451c-8311-473b6853d774\",\"InterSystemsId\":\"97c52753-c410-438f-89e2-22741e5ccc6a\",\"IntraSystemId\":\"c9ef5d5f-e3af-4669-b465-921d8b58bd00\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectoryStsLogon", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "UserLoggedIn", - "id": "03de6d95-b955-451c-8311-473b6853d774", - "type": [ - "info", - "start", - "authentication_success" - ], - "category": [ - "web", - "authentication" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", + "domain": "testsiem.onmicrosoft.com", "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr" }, "user_agent": { + "device": { + "name": "Mac" + }, "name": "Firefox", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "os": { + "full": "Mac OS X 10.14", "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" + "version": "10.14" }, "version": "72.0." } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-07T16:43:37.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "UserLoggedIn", + "category": [ + "web", + "authentication" + ], + "code": "AzureActiveDirectoryStsLogon", + "id": "ac8fcffb-7c44-498d-ad6b-24b85a3a1b59", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"e48d4214-364e-4731-b2b6-47dabf529218\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-07T16:43:37\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"ac8fcffb-7c44-498d-ad6b-24b85a3a1b59\",\"InterSystemsId\":\"9e0a494b-0db0-4481-a70e-eea6124b7018\",\"IntraSystemId\":\"e7a84bcf-41ff-4953-8e99-fb1820685f00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000004-0000-0ff1-ce00-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000004-0000-0ff1-ce00-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info", + "start", + "authentication_success" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "00000004-0000-0ff1-ce00-000000000000", - "ResultStatus": "Succeeded", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.15", + "ApplicationId": "e48d4214-364e-4731-b2b6-47dabf529218", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-07T16:43:37", "ExtendedProperties": { "KeepMeSignedIn": "True", + "RequestType": "OAuth2:Authorize", "ResultStatusDetail": "Redirect", - "UserAuthenticationMethod": "9", - "RequestType": "OAuth2:Authorize" + "UserAuthenticationMethod": "9" }, + "InterSystemsId": "9e0a494b-0db0-4481-a70e-eea6124b7018", "IntraSystemId": "e7a84bcf-41ff-4953-8e99-fb1820685f00", + "ModifiedProperties": {}, + "ObjectId": "00000004-0000-0ff1-ce00-000000000000", + "RecordType": "15", + "ResultStatus": "Succeeded", + "SupportTicketId": "", "Target": [ { - "Type": 0, - "ID": "00000004-0000-0ff1-ce00-000000000000" + "ID": "00000004-0000-0ff1-ce00-000000000000", + "Type": 0 } ], - "RecordType": "15", - "ModifiedProperties": {}, - "Version": "1", - "SupportTicketId": "", "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ - { - "Type": 0, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" - }, - { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" - }, - { - "Type": 3, - "ID": "1003200096971F55" - } - ], - "CreationTime": "2020-02-07T16:43:37", - "InterSystemsId": "9e0a494b-0db0-4481-a70e-eea6124b7018", - "ApplicationId": "e48d4214-364e-4731-b2b6-47dabf529218", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-07T16:43:37.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:48:58.934201271Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"e48d4214-364e-4731-b2b6-47dabf529218\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-07T16:43:37\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"ac8fcffb-7c44-498d-ad6b-24b85a3a1b59\",\"InterSystemsId\":\"9e0a494b-0db0-4481-a70e-eea6124b7018\",\"IntraSystemId\":\"e7a84bcf-41ff-4953-8e99-fb1820685f00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000004-0000-0ff1-ce00-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000004-0000-0ff1-ce00-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectoryStsLogon", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "UserLoggedIn", - "id": "ac8fcffb-7c44-498d-ad6b-24b85a3a1b59", - "type": [ - "info", - "start", - "authentication_success" - ], - "category": [ - "web", - "authentication" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", + "domain": "testsiem.onmicrosoft.com", "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr" }, "user_agent": { + "device": { + "name": "Mac" + }, "name": "Firefox", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "os": { + "full": "Mac OS X 10.14", "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" + "version": "10.14" }, "version": "72.0." } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-10T15:13:36.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "UserLoggedIn", + "category": [ + "web", + "authentication" + ], + "code": "AzureActiveDirectoryStsLogon", + "id": "880fb7bc-5708-42d1-86a8-760c32ac5e6b", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:13:36\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"880fb7bc-5708-42d1-86a8-760c32ac5e6b\",\"InterSystemsId\":\"9fc4af4c-bf19-4f88-92ac-0fd029ca21bd\",\"IntraSystemId\":\"56fa424b-64bd-4ea5-abc4-38256f8a5600\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info", + "start", + "authentication_success" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "Unknown", - "ResultStatus": "Succeeded", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.15", + "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-10T15:13:36", "ExtendedProperties": { "KeepMeSignedIn": "False", + "RequestType": "OAuth2:Authorize", "ResultStatusDetail": "Redirect", - "UserAuthenticationMethod": "9", - "RequestType": "OAuth2:Authorize" + "UserAuthenticationMethod": "9" }, + "InterSystemsId": "9fc4af4c-bf19-4f88-92ac-0fd029ca21bd", "IntraSystemId": "56fa424b-64bd-4ea5-abc4-38256f8a5600", + "ModifiedProperties": {}, + "ObjectId": "Unknown", + "RecordType": "15", + "ResultStatus": "Succeeded", + "SupportTicketId": "", "Target": [ { - "Type": 0, - "ID": "Unknown" + "ID": "Unknown", + "Type": 0 } ], - "RecordType": "15", - "ModifiedProperties": {}, - "Version": "1", - "SupportTicketId": "", "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ - { - "Type": 0, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" - }, - { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" - }, - { - "Type": 3, - "ID": "1003200096971F55" - } - ], - "CreationTime": "2020-02-10T15:13:36", - "InterSystemsId": "9fc4af4c-bf19-4f88-92ac-0fd029ca21bd", - "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-10T15:13:36.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:48:58.934202337Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:13:36\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"880fb7bc-5708-42d1-86a8-760c32ac5e6b\",\"InterSystemsId\":\"9fc4af4c-bf19-4f88-92ac-0fd029ca21bd\",\"IntraSystemId\":\"56fa424b-64bd-4ea5-abc4-38256f8a5600\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectoryStsLogon", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "UserLoggedIn", - "id": "880fb7bc-5708-42d1-86a8-760c32ac5e6b", - "type": [ - "info", - "start", - "authentication_success" - ], - "category": [ - "web", - "authentication" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", + "domain": "testsiem.onmicrosoft.com", "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr" }, "user_agent": { + "device": { + "name": "Mac" + }, "name": "Firefox", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "os": { + "full": "Mac OS X 10.14", "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" + "version": "10.14" }, "version": "72.0." } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-12T21:38:37.000Z", + "client": { + "address": "67.43.156.13", "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "UserLoggedIn", + "category": [ + "web", + "authentication" + ], + "code": "AzureActiveDirectoryStsLogon", + "id": "30c7afcc-f74d-4b5a-898e-ce72da9386b8", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T21:38:37\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"30c7afcc-f74d-4b5a-898e-ce72da9386b8\",\"InterSystemsId\":\"a35e980b-88be-4343-9691-629473e01983\",\"IntraSystemId\":\"78a2aa65-5026-4124-970a-00e06dc7df00\",\"ModifiedProperties\":[],\"ObjectId\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info", + "start", + "authentication_success" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "5f09333a-842c-47da-a157-57da27fcbca5", - "ResultStatus": "Succeeded", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.13", + "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-12T21:38:37", "ExtendedProperties": { "KeepMeSignedIn": "False", + "RequestType": "OAuth2:Authorize", "ResultStatusDetail": "Redirect", - "UserAuthenticationMethod": "9", - "RequestType": "OAuth2:Authorize" + "UserAuthenticationMethod": "9" }, + "InterSystemsId": "a35e980b-88be-4343-9691-629473e01983", "IntraSystemId": "78a2aa65-5026-4124-970a-00e06dc7df00", + "ModifiedProperties": {}, + "ObjectId": "5f09333a-842c-47da-a157-57da27fcbca5", + "RecordType": "15", + "ResultStatus": "Succeeded", + "SupportTicketId": "", "Target": [ { - "Type": 0, - "ID": "5f09333a-842c-47da-a157-57da27fcbca5" + "ID": "5f09333a-842c-47da-a157-57da27fcbca5", + "Type": 0 } ], - "RecordType": "15", - "ModifiedProperties": {}, - "Version": "1", - "SupportTicketId": "", "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ - { - "Type": 0, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" - }, - { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" - }, - { - "Type": 3, - "ID": "1003200096971F55" - } - ], - "CreationTime": "2020-02-12T21:38:37", - "InterSystemsId": "a35e980b-88be-4343-9691-629473e01983", - "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-12T21:38:37.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.13" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.13", + "source": { "ip": "67.43.156.13" }, - "event": { - "ingested": "2022-01-02T03:48:58.934203448Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T21:38:37\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"30c7afcc-f74d-4b5a-898e-ce72da9386b8\",\"InterSystemsId\":\"a35e980b-88be-4343-9691-629473e01983\",\"IntraSystemId\":\"78a2aa65-5026-4124-970a-00e06dc7df00\",\"ModifiedProperties\":[],\"ObjectId\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectoryStsLogon", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "UserLoggedIn", - "id": "30c7afcc-f74d-4b5a-898e-ce72da9386b8", - "type": [ - "info", - "start", - "authentication_success" - ], - "category": [ - "web", - "authentication" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", + "domain": "testsiem.onmicrosoft.com", "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr" }, "user_agent": { + "device": { + "name": "Mac" + }, "name": "Firefox", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "os": { + "full": "Mac OS X 10.14", "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" + "version": "10.14" }, "version": "72.0." } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-06T09:28:00.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "UserLoggedIn", + "category": [ + "web", + "authentication" + ], + "code": "AzureActiveDirectoryStsLogon", + "id": "d4f90f07-f5c4-4b36-a81c-6c9bae8660d6", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"4345a7b9-9a63-4910-a426-35363201d503\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-06T09:28:00\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"d4f90f07-f5c4-4b36-a81c-6c9bae8660d6\",\"InterSystemsId\":\"a89e9b3b-b394-4ecf-8abc-a3f6aaf9237f\",\"IntraSystemId\":\"bfe22fb6-c763-4972-91a7-5b13d3d51400\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info", + "start", + "authentication_success" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "00000002-0000-0000-c000-000000000000", - "ResultStatus": "Succeeded", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.15", + "ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-06T09:28:00", "ExtendedProperties": { "KeepMeSignedIn": "False", + "RequestType": "OAuth2:Authorize", "ResultStatusDetail": "Success", - "UserAuthenticationMethod": "9", - "RequestType": "OAuth2:Authorize" + "UserAuthenticationMethod": "9" }, + "InterSystemsId": "a89e9b3b-b394-4ecf-8abc-a3f6aaf9237f", "IntraSystemId": "bfe22fb6-c763-4972-91a7-5b13d3d51400", + "ModifiedProperties": {}, + "ObjectId": "00000002-0000-0000-c000-000000000000", + "RecordType": "15", + "ResultStatus": "Succeeded", + "SupportTicketId": "", "Target": [ { - "Type": 0, - "ID": "00000002-0000-0000-c000-000000000000" + "ID": "00000002-0000-0000-c000-000000000000", + "Type": 0 } ], - "RecordType": "15", - "ModifiedProperties": {}, - "Version": "1", - "SupportTicketId": "", "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ - { - "Type": 0, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" - }, - { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" - }, - { - "Type": 3, - "ID": "1003200096971F55" - } - ], - "CreationTime": "2020-02-06T09:28:00", - "InterSystemsId": "a89e9b3b-b394-4ecf-8abc-a3f6aaf9237f", - "ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-06T09:28:00.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:48:58.934204445Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"4345a7b9-9a63-4910-a426-35363201d503\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-06T09:28:00\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"d4f90f07-f5c4-4b36-a81c-6c9bae8660d6\",\"InterSystemsId\":\"a89e9b3b-b394-4ecf-8abc-a3f6aaf9237f\",\"IntraSystemId\":\"bfe22fb6-c763-4972-91a7-5b13d3d51400\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectoryStsLogon", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "UserLoggedIn", - "id": "d4f90f07-f5c4-4b36-a81c-6c9bae8660d6", - "type": [ - "info", - "start", - "authentication_success" - ], - "category": [ - "web", - "authentication" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", + "domain": "testsiem.onmicrosoft.com", "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr" }, "user_agent": { + "device": { + "name": "Mac" + }, "name": "Firefox", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "os": { + "full": "Mac OS X 10.14", "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" + "version": "10.14" }, "version": "72.0." } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-09T15:28:52.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "UserLoggedIn", + "category": [ + "web", + "authentication" + ], + "code": "AzureActiveDirectoryStsLogon", + "id": "d2ad235b-d73f-4bd8-8aef-6e4909ee1b7c", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:28:52\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"d2ad235b-d73f-4bd8-8aef-6e4909ee1b7c\",\"InterSystemsId\":\"aca3d9a3-792d-4357-87c6-ef50c3215baa\",\"IntraSystemId\":\"f67a1615-4606-4673-b6fb-68f714fa2200\",\"ModifiedProperties\":[],\"ObjectId\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info", + "start", + "authentication_success" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "5f09333a-842c-47da-a157-57da27fcbca5", - "ResultStatus": "Succeeded", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.15", + "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-09T15:28:52", "ExtendedProperties": { "KeepMeSignedIn": "True", + "RequestType": "OAuth2:Authorize", "ResultStatusDetail": "Redirect", - "UserAuthenticationMethod": "9", - "RequestType": "OAuth2:Authorize" + "UserAuthenticationMethod": "9" }, + "InterSystemsId": "aca3d9a3-792d-4357-87c6-ef50c3215baa", "IntraSystemId": "f67a1615-4606-4673-b6fb-68f714fa2200", + "ModifiedProperties": {}, + "ObjectId": "5f09333a-842c-47da-a157-57da27fcbca5", + "RecordType": "15", + "ResultStatus": "Succeeded", + "SupportTicketId": "", "Target": [ { - "Type": 0, - "ID": "5f09333a-842c-47da-a157-57da27fcbca5" + "ID": "5f09333a-842c-47da-a157-57da27fcbca5", + "Type": 0 } ], - "RecordType": "15", - "ModifiedProperties": {}, - "Version": "1", - "SupportTicketId": "", "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ - { - "Type": 0, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" - }, - { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" - }, - { - "Type": 3, - "ID": "1003200096971F55" - } - ], - "CreationTime": "2020-02-09T15:28:52", - "InterSystemsId": "aca3d9a3-792d-4357-87c6-ef50c3215baa", - "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-09T15:28:52.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:48:58.934205471Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:28:52\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"d2ad235b-d73f-4bd8-8aef-6e4909ee1b7c\",\"InterSystemsId\":\"aca3d9a3-792d-4357-87c6-ef50c3215baa\",\"IntraSystemId\":\"f67a1615-4606-4673-b6fb-68f714fa2200\",\"ModifiedProperties\":[],\"ObjectId\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectoryStsLogon", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "UserLoggedIn", - "id": "d2ad235b-d73f-4bd8-8aef-6e4909ee1b7c", - "type": [ - "info", - "start", - "authentication_success" - ], - "category": [ - "web", - "authentication" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", + "domain": "testsiem.onmicrosoft.com", "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr" }, "user_agent": { + "device": { + "name": "Mac" + }, "name": "Firefox", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "os": { + "full": "Mac OS X 10.14", "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" + "version": "10.14" }, "version": "72.0." } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-10T15:13:37.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "UserLoggedIn", + "category": [ + "web", + "authentication" + ], + "code": "AzureActiveDirectoryStsLogon", + "id": "8ff18278-32ca-49d1-8658-91e577e0854f", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:13:37\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"8ff18278-32ca-49d1-8658-91e577e0854f\",\"InterSystemsId\":\"ae211253-88cf-4921-9014-2f9beab64fb0\",\"IntraSystemId\":\"ccfec0f3-498b-43b1-a4c0-fb42f0fb5300\",\"ModifiedProperties\":[],\"ObjectId\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info", + "start", + "authentication_success" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "5f09333a-842c-47da-a157-57da27fcbca5", - "ResultStatus": "Succeeded", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.15", + "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-10T15:13:37", "ExtendedProperties": { "KeepMeSignedIn": "False", + "RequestType": "OAuth2:Authorize", "ResultStatusDetail": "Redirect", - "UserAuthenticationMethod": "9", - "RequestType": "OAuth2:Authorize" + "UserAuthenticationMethod": "9" }, + "InterSystemsId": "ae211253-88cf-4921-9014-2f9beab64fb0", "IntraSystemId": "ccfec0f3-498b-43b1-a4c0-fb42f0fb5300", + "ModifiedProperties": {}, + "ObjectId": "5f09333a-842c-47da-a157-57da27fcbca5", + "RecordType": "15", + "ResultStatus": "Succeeded", + "SupportTicketId": "", "Target": [ { - "Type": 0, - "ID": "5f09333a-842c-47da-a157-57da27fcbca5" + "ID": "5f09333a-842c-47da-a157-57da27fcbca5", + "Type": 0 } ], - "RecordType": "15", - "ModifiedProperties": {}, - "Version": "1", - "SupportTicketId": "", "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ - { - "Type": 0, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" - }, - { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" - }, - { - "Type": 3, - "ID": "1003200096971F55" - } - ], - "CreationTime": "2020-02-10T15:13:37", - "InterSystemsId": "ae211253-88cf-4921-9014-2f9beab64fb0", - "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-10T15:13:37.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:48:58.934206466Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:13:37\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"8ff18278-32ca-49d1-8658-91e577e0854f\",\"InterSystemsId\":\"ae211253-88cf-4921-9014-2f9beab64fb0\",\"IntraSystemId\":\"ccfec0f3-498b-43b1-a4c0-fb42f0fb5300\",\"ModifiedProperties\":[],\"ObjectId\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectoryStsLogon", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "UserLoggedIn", - "id": "8ff18278-32ca-49d1-8658-91e577e0854f", - "type": [ - "info", - "start", - "authentication_success" - ], - "category": [ - "web", - "authentication" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", + "domain": "testsiem.onmicrosoft.com", "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr" }, "user_agent": { + "device": { + "name": "Mac" + }, "name": "Firefox", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "os": { + "full": "Mac OS X 10.14", "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" + "version": "10.14" }, "version": "72.0." } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-09T15:28:52.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "UserLoggedIn", + "category": [ + "web", + "authentication" + ], + "code": "AzureActiveDirectoryStsLogon", + "id": "a3939990-f7b4-4dc5-af4d-42b70a9485ea", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:28:52\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"a3939990-f7b4-4dc5-af4d-42b70a9485ea\",\"InterSystemsId\":\"b3997fcc-6b0e-45b1-b88d-b4ee4a8a7ddc\",\"IntraSystemId\":\"c1ffa732-6576-4f86-9294-44387abc1f00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info", + "start", + "authentication_success" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "00000003-0000-0000-c000-000000000000", - "ResultStatus": "Succeeded", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.15", + "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-09T15:28:52", "ExtendedProperties": { "KeepMeSignedIn": "True", + "RequestType": "OAuth2:Authorize", "ResultStatusDetail": "Redirect", - "UserAuthenticationMethod": "9", - "RequestType": "OAuth2:Authorize" + "UserAuthenticationMethod": "9" }, + "InterSystemsId": "b3997fcc-6b0e-45b1-b88d-b4ee4a8a7ddc", "IntraSystemId": "c1ffa732-6576-4f86-9294-44387abc1f00", + "ModifiedProperties": {}, + "ObjectId": "00000003-0000-0000-c000-000000000000", + "RecordType": "15", + "ResultStatus": "Succeeded", + "SupportTicketId": "", "Target": [ { - "Type": 0, - "ID": "00000003-0000-0000-c000-000000000000" + "ID": "00000003-0000-0000-c000-000000000000", + "Type": 0 } ], - "RecordType": "15", - "ModifiedProperties": {}, - "Version": "1", - "SupportTicketId": "", "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ - { - "Type": 0, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" - }, - { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" - }, - { - "Type": 3, - "ID": "1003200096971F55" - } - ], - "CreationTime": "2020-02-09T15:28:52", - "InterSystemsId": "b3997fcc-6b0e-45b1-b88d-b4ee4a8a7ddc", - "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-09T15:28:52.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:48:58.934207477Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:28:52\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"a3939990-f7b4-4dc5-af4d-42b70a9485ea\",\"InterSystemsId\":\"b3997fcc-6b0e-45b1-b88d-b4ee4a8a7ddc\",\"IntraSystemId\":\"c1ffa732-6576-4f86-9294-44387abc1f00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectoryStsLogon", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "UserLoggedIn", - "id": "a3939990-f7b4-4dc5-af4d-42b70a9485ea", - "type": [ - "info", - "start", - "authentication_success" - ], - "category": [ - "web", - "authentication" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", + "domain": "testsiem.onmicrosoft.com", "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr" }, "user_agent": { + "device": { + "name": "Mac" + }, "name": "Firefox", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "os": { + "full": "Mac OS X 10.14", "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" + "version": "10.14" }, "version": "72.0." } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-10T15:13:01.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "UserLoggedIn", + "category": [ + "web", + "authentication" + ], + "code": "AzureActiveDirectoryStsLogon", + "id": "61ba70f4-bd75-4bc2-a681-2e219d920e63", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"4345a7b9-9a63-4910-a426-35363201d503\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:13:01\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"61ba70f4-bd75-4bc2-a681-2e219d920e63\",\"InterSystemsId\":\"b3ab6d58-7b90-45d6-95e3-ee11333ebc34\",\"IntraSystemId\":\"d949d6c2-472e-4901-bd70-96cb90424c00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info", + "start", + "authentication_success" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "00000002-0000-0000-c000-000000000000", - "ResultStatus": "Succeeded", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.15", + "ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-10T15:13:01", "ExtendedProperties": { "KeepMeSignedIn": "False", + "RequestType": "OAuth2:Authorize", "ResultStatusDetail": "Success", - "UserAuthenticationMethod": "9", - "RequestType": "OAuth2:Authorize" + "UserAuthenticationMethod": "9" }, + "InterSystemsId": "b3ab6d58-7b90-45d6-95e3-ee11333ebc34", "IntraSystemId": "d949d6c2-472e-4901-bd70-96cb90424c00", + "ModifiedProperties": {}, + "ObjectId": "00000002-0000-0000-c000-000000000000", + "RecordType": "15", + "ResultStatus": "Succeeded", + "SupportTicketId": "", "Target": [ { - "Type": 0, - "ID": "00000002-0000-0000-c000-000000000000" + "ID": "00000002-0000-0000-c000-000000000000", + "Type": 0 } ], - "RecordType": "15", - "ModifiedProperties": {}, - "Version": "1", - "SupportTicketId": "", "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ - { - "Type": 0, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" - }, - { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" - }, - { - "Type": 3, - "ID": "1003200096971F55" - } - ], - "CreationTime": "2020-02-10T15:13:01", - "InterSystemsId": "b3ab6d58-7b90-45d6-95e3-ee11333ebc34", - "ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-10T15:13:01.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:48:58.934208592Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"4345a7b9-9a63-4910-a426-35363201d503\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:13:01\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"61ba70f4-bd75-4bc2-a681-2e219d920e63\",\"InterSystemsId\":\"b3ab6d58-7b90-45d6-95e3-ee11333ebc34\",\"IntraSystemId\":\"d949d6c2-472e-4901-bd70-96cb90424c00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectoryStsLogon", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "UserLoggedIn", - "id": "61ba70f4-bd75-4bc2-a681-2e219d920e63", - "type": [ - "info", - "start", - "authentication_success" - ], - "category": [ - "web", - "authentication" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", + "domain": "testsiem.onmicrosoft.com", "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr" }, "user_agent": { + "device": { + "name": "Mac" + }, "name": "Firefox", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "os": { + "full": "Mac OS X 10.14", "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" + "version": "10.14" }, "version": "72.0." } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-12T10:53:12.000Z", + "client": { + "address": "67.43.156.13", "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "UserLoggedIn", + "category": [ + "web", + "authentication" + ], + "code": "AzureActiveDirectoryStsLogon", + "id": "3e17bf8e-92de-45b6-b668-7618ab0e0c95", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"80ccca67-54bd-44ab-8625-4b79c4dc7775\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T10:53:12\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"3e17bf8e-92de-45b6-b668-7618ab0e0c95\",\"InterSystemsId\":\"b5c5fd00-b659-413e-8739-6271a4d70506\",\"IntraSystemId\":\"fabbe34e-a6dd-46f8-805f-4ca633c2ae00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info", + "start", + "authentication_success" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "00000002-0000-0000-c000-000000000000", - "ResultStatus": "Succeeded", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "67.43.156.13", - "ExtendedProperties": { - "KeepMeSignedIn": "False", - "ResultStatusDetail": "Success", - "UserAuthenticationMethod": "9", - "RequestType": "OAuth2:Authorize" - }, - "IntraSystemId": "fabbe34e-a6dd-46f8-805f-4ca633c2ae00", - "Target": [ - { - "Type": 0, - "ID": "00000002-0000-0000-c000-000000000000" - } - ], - "RecordType": "15", - "ModifiedProperties": {}, - "Version": "1", - "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", "Actor": [ { - "Type": 0, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 }, { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 }, { - "Type": 3, - "ID": "1003200096971F55" + "ID": "1003200096971F55", + "Type": 3 } ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "ActorIpAddress": "67.43.156.13", + "ApplicationId": "80ccca67-54bd-44ab-8625-4b79c4dc7775", + "AzureActiveDirectoryEventType": "1", "CreationTime": "2020-02-12T10:53:12", + "ExtendedProperties": { + "KeepMeSignedIn": "False", + "RequestType": "OAuth2:Authorize", + "ResultStatusDetail": "Success", + "UserAuthenticationMethod": "9" + }, "InterSystemsId": "b5c5fd00-b659-413e-8739-6271a4d70506", - "ApplicationId": "80ccca67-54bd-44ab-8625-4b79c4dc7775", + "IntraSystemId": "fabbe34e-a6dd-46f8-805f-4ca633c2ae00", + "ModifiedProperties": {}, + "ObjectId": "00000002-0000-0000-c000-000000000000", + "RecordType": "15", + "ResultStatus": "Succeeded", + "SupportTicketId": "", + "Target": [ + { + "ID": "00000002-0000-0000-c000-000000000000", + "Type": 0 + } + ], + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-12T10:53:12.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.13" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.13", + "source": { "ip": "67.43.156.13" }, - "event": { - "ingested": "2022-01-02T03:48:58.934209600Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"80ccca67-54bd-44ab-8625-4b79c4dc7775\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T10:53:12\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"3e17bf8e-92de-45b6-b668-7618ab0e0c95\",\"InterSystemsId\":\"b5c5fd00-b659-413e-8739-6271a4d70506\",\"IntraSystemId\":\"fabbe34e-a6dd-46f8-805f-4ca633c2ae00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000002-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000002-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectoryStsLogon", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "UserLoggedIn", - "id": "3e17bf8e-92de-45b6-b668-7618ab0e0c95", - "type": [ - "info", - "start", - "authentication_success" - ], - "category": [ - "web", - "authentication" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", + "domain": "testsiem.onmicrosoft.com", "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr" }, "user_agent": { + "device": { + "name": "Mac" + }, "name": "Firefox", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "os": { + "full": "Mac OS X 10.14", "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" + "version": "10.14" }, "version": "72.0." } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-12T10:52:06.000Z", + "client": { + "address": "67.43.156.13", "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "UserLoggedIn", + "category": [ + "web", + "authentication" + ], + "code": "AzureActiveDirectoryStsLogon", + "id": "f100d714-ffa2-4077-bf90-2f57a3b366c0", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T10:52:06\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"f100d714-ffa2-4077-bf90-2f57a3b366c0\",\"InterSystemsId\":\"b744259e-13e0-43d7-9f56-82cdbd54cf7c\",\"IntraSystemId\":\"ce9f104d-1a1b-488e-9313-b9729e99c400\",\"ModifiedProperties\":[],\"ObjectId\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info", + "start", + "authentication_success" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "5f09333a-842c-47da-a157-57da27fcbca5", - "ResultStatus": "Succeeded", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.13", + "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-12T10:52:06", "ExtendedProperties": { "KeepMeSignedIn": "False", + "RequestType": "OAuth2:Authorize", "ResultStatusDetail": "Redirect", - "UserAuthenticationMethod": "9", - "RequestType": "OAuth2:Authorize" + "UserAuthenticationMethod": "9" }, + "InterSystemsId": "b744259e-13e0-43d7-9f56-82cdbd54cf7c", "IntraSystemId": "ce9f104d-1a1b-488e-9313-b9729e99c400", + "ModifiedProperties": {}, + "ObjectId": "5f09333a-842c-47da-a157-57da27fcbca5", + "RecordType": "15", + "ResultStatus": "Succeeded", + "SupportTicketId": "", "Target": [ { - "Type": 0, - "ID": "5f09333a-842c-47da-a157-57da27fcbca5" + "ID": "5f09333a-842c-47da-a157-57da27fcbca5", + "Type": 0 } ], - "RecordType": "15", - "ModifiedProperties": {}, - "Version": "1", - "SupportTicketId": "", "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ - { - "Type": 0, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" - }, - { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" - }, - { - "Type": 3, - "ID": "1003200096971F55" - } - ], - "CreationTime": "2020-02-12T10:52:06", - "InterSystemsId": "b744259e-13e0-43d7-9f56-82cdbd54cf7c", - "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-12T10:52:06.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.13" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.13", + "source": { "ip": "67.43.156.13" }, - "event": { - "ingested": "2022-01-02T03:48:58.934210606Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T10:52:06\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"f100d714-ffa2-4077-bf90-2f57a3b366c0\",\"InterSystemsId\":\"b744259e-13e0-43d7-9f56-82cdbd54cf7c\",\"IntraSystemId\":\"ce9f104d-1a1b-488e-9313-b9729e99c400\",\"ModifiedProperties\":[],\"ObjectId\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectoryStsLogon", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "UserLoggedIn", - "id": "f100d714-ffa2-4077-bf90-2f57a3b366c0", - "type": [ - "info", - "start", - "authentication_success" - ], - "category": [ - "web", - "authentication" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", + "domain": "testsiem.onmicrosoft.com", "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr" }, "user_agent": { + "device": { + "name": "Mac" + }, "name": "Firefox", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "os": { + "full": "Mac OS X 10.14", "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" + "version": "10.14" }, "version": "72.0." } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-08T14:33:50.000Z", + "client": { + "address": "67.43.156.14", "ip": "67.43.156.14" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "UserLoggedIn", + "category": [ + "web", + "authentication" + ], + "code": "AzureActiveDirectoryStsLogon", + "id": "4b0f0d57-0766-4621-8aa0-04b8d8b63a78", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.14\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.14\",\"CreationTime\":\"2020-02-08T14:33:50\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"4b0f0d57-0766-4621-8aa0-04b8d8b63a78\",\"InterSystemsId\":\"b7d9a234-9fdd-4e36-9cf3-fd825f22697a\",\"IntraSystemId\":\"49092519-a590-4207-b1b3-1d49f9100a00\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info", + "start", + "authentication_success" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "Unknown", - "ResultStatus": "Succeeded", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.14", + "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-08T14:33:50", "ExtendedProperties": { "KeepMeSignedIn": "True", + "RequestType": "OAuth2:Authorize", "ResultStatusDetail": "Redirect", - "UserAuthenticationMethod": "9", - "RequestType": "OAuth2:Authorize" + "UserAuthenticationMethod": "9" }, + "InterSystemsId": "b7d9a234-9fdd-4e36-9cf3-fd825f22697a", "IntraSystemId": "49092519-a590-4207-b1b3-1d49f9100a00", + "ModifiedProperties": {}, + "ObjectId": "Unknown", + "RecordType": "15", + "ResultStatus": "Succeeded", + "SupportTicketId": "", "Target": [ { - "Type": 0, - "ID": "Unknown" + "ID": "Unknown", + "Type": 0 } ], - "RecordType": "15", - "ModifiedProperties": {}, - "Version": "1", - "SupportTicketId": "", "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ - { - "Type": 0, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" - }, - { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" - }, - { - "Type": 3, - "ID": "1003200096971F55" - } - ], - "CreationTime": "2020-02-08T14:33:50", - "InterSystemsId": "b7d9a234-9fdd-4e36-9cf3-fd825f22697a", - "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-08T14:33:50.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.14" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.14", + "source": { "ip": "67.43.156.14" }, - "event": { - "ingested": "2022-01-02T03:48:58.934211599Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.14\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.14\",\"CreationTime\":\"2020-02-08T14:33:50\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"4b0f0d57-0766-4621-8aa0-04b8d8b63a78\",\"InterSystemsId\":\"b7d9a234-9fdd-4e36-9cf3-fd825f22697a\",\"IntraSystemId\":\"49092519-a590-4207-b1b3-1d49f9100a00\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectoryStsLogon", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "UserLoggedIn", - "id": "4b0f0d57-0766-4621-8aa0-04b8d8b63a78", - "type": [ - "info", - "start", - "authentication_success" - ], - "category": [ - "web", - "authentication" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", + "domain": "testsiem.onmicrosoft.com", "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr" }, "user_agent": { + "device": { + "name": "Mac" + }, "name": "Firefox", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "os": { + "full": "Mac OS X 10.14", "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" + "version": "10.14" }, "version": "72.0." } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, - "ip": "67.43.156.15" - }, - "tags": [ - "preserve_original_event" - ], - "network": { - "type": "ipv4" - }, - "o365": { - "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "00000003-0000-0000-c000-000000000000", - "ResultStatus": "Succeeded", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "67.43.156.15", - "ExtendedProperties": { - "KeepMeSignedIn": "False", - "ResultStatusDetail": "Redirect", - "UserAuthenticationMethod": "9", - "RequestType": "OAuth2:Authorize" - }, - "IntraSystemId": "1da3c318-642f-48dc-836b-e83b27655b00", - "Target": [ - { - "Type": 0, - "ID": "00000003-0000-0000-c000-000000000000" - } - ], - "RecordType": "15", - "ModifiedProperties": {}, - "Version": "1", - "SupportTicketId": "", - "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", - "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ - { - "Type": 0, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" - }, - { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" - }, - { - "Type": 3, - "ID": "1003200096971F55" - } - ], - "CreationTime": "2020-02-10T15:13:38", - "InterSystemsId": "bb677f9e-953a-4bde-bb91-0ef8209200a1", - "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", - "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - } - }, "@timestamp": "2020-02-10T15:13:38.000Z", - "ecs": { - "version": "8.0.0" - }, - "related": { - "user": [ - "asr" - ], - "ip": [ - "67.43.156.15" - ] - }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, "client": { "address": "67.43.156.15", "ip": "67.43.156.15" }, + "ecs": { + "version": "8.0.0" + }, "event": { - "ingested": "2022-01-02T03:48:58.934212596Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:13:38\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"8d9a1fa8-7b85-4c5d-9e96-5728d572fb95\",\"InterSystemsId\":\"bb677f9e-953a-4bde-bb91-0ef8209200a1\",\"IntraSystemId\":\"1da3c318-642f-48dc-836b-e83b27655b00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectoryStsLogon", - "provider": "AzureActiveDirectory", - "kind": "event", "action": "UserLoggedIn", + "category": [ + "web", + "authentication" + ], + "code": "AzureActiveDirectoryStsLogon", "id": "8d9a1fa8-7b85-4c5d-9e96-5728d572fb95", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-10T15:13:38\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"8d9a1fa8-7b85-4c5d-9e96-5728d572fb95\",\"InterSystemsId\":\"bb677f9e-953a-4bde-bb91-0ef8209200a1\",\"IntraSystemId\":\"1da3c318-642f-48dc-836b-e83b27655b00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", "type": [ "info", "start", "authentication_success" - ], - "category": [ - "web", - "authentication" - ], - "outcome": "success" - }, - "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" + ] }, - "user_agent": { - "name": "Firefox", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", - "os": { - "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" - }, - "version": "72.0." - } - }, - { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, - "ip": "67.43.156.15" + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, - "tags": [ - "preserve_original_event" - ], "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "00000003-0000-0000-c000-000000000000", - "ResultStatus": "Succeeded", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.15", + "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-10T15:13:38", "ExtendedProperties": { - "KeepMeSignedIn": "True", + "KeepMeSignedIn": "False", + "RequestType": "OAuth2:Authorize", "ResultStatusDetail": "Redirect", - "UserAuthenticationMethod": "9", - "RequestType": "OAuth2:Authorize" + "UserAuthenticationMethod": "9" }, - "IntraSystemId": "20e56367-e902-4200-855b-2ef7b99e5f00", + "InterSystemsId": "bb677f9e-953a-4bde-bb91-0ef8209200a1", + "IntraSystemId": "1da3c318-642f-48dc-836b-e83b27655b00", + "ModifiedProperties": {}, + "ObjectId": "00000003-0000-0000-c000-000000000000", + "RecordType": "15", + "ResultStatus": "Succeeded", + "SupportTicketId": "", "Target": [ { - "Type": 0, - "ID": "00000003-0000-0000-c000-000000000000" + "ID": "00000003-0000-0000-c000-000000000000", + "Type": 0 } ], - "RecordType": "15", - "ModifiedProperties": {}, - "Version": "1", - "SupportTicketId": "", "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ - { - "Type": 0, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" - }, - { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" - }, - { - "Type": 3, - "ID": "1003200096971F55" - } - ], - "CreationTime": "2020-02-07T16:44:05", - "InterSystemsId": "c355f078-53d7-4d60-b836-851a09a98208", - "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-07T16:44:05.000Z", - "ecs": { - "version": "8.0.0" - }, - "related": { - "user": [ - "asr" - ], - "ip": [ - "67.43.156.15" - ] - }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", - "ip": "67.43.156.15" - }, - "event": { - "ingested": "2022-01-02T03:48:58.934217762Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-07T16:44:05\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"9756fe5b-ea0d-42fa-a665-be8e0eb100e5\",\"InterSystemsId\":\"c355f078-53d7-4d60-b836-851a09a98208\",\"IntraSystemId\":\"20e56367-e902-4200-855b-2ef7b99e5f00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectoryStsLogon", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "UserLoggedIn", - "id": "9756fe5b-ea0d-42fa-a665-be8e0eb100e5", - "type": [ - "info", - "start", - "authentication_success" - ], - "category": [ - "web", - "authentication" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, + "related": { + "ip": [ + "67.43.156.15" ], - "outcome": "success" + "user": [ + "asr" + ] }, + "source": { + "ip": "67.43.156.15" + }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", + "domain": "testsiem.onmicrosoft.com", "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr" }, "user_agent": { + "device": { + "name": "Mac" + }, "name": "Firefox", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "os": { + "full": "Mac OS X 10.14", "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" + "version": "10.14" }, "version": "72.0." } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-07T16:44:05.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "UserLoggedIn", + "category": [ + "web", + "authentication" + ], + "code": "AzureActiveDirectoryStsLogon", + "id": "9756fe5b-ea0d-42fa-a665-be8e0eb100e5", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-07T16:44:05\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"9756fe5b-ea0d-42fa-a665-be8e0eb100e5\",\"InterSystemsId\":\"c355f078-53d7-4d60-b836-851a09a98208\",\"IntraSystemId\":\"20e56367-e902-4200-855b-2ef7b99e5f00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info", + "start", + "authentication_success" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "Unknown", - "ResultStatus": "Succeeded", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.15", + "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-07T16:44:05", "ExtendedProperties": { "KeepMeSignedIn": "True", + "RequestType": "OAuth2:Authorize", "ResultStatusDetail": "Redirect", - "UserAuthenticationMethod": "9", - "RequestType": "OAuth2:Authorize" + "UserAuthenticationMethod": "9" }, - "IntraSystemId": "3188aef9-6b4e-44f2-8455-c28b49552200", + "InterSystemsId": "c355f078-53d7-4d60-b836-851a09a98208", + "IntraSystemId": "20e56367-e902-4200-855b-2ef7b99e5f00", + "ModifiedProperties": {}, + "ObjectId": "00000003-0000-0000-c000-000000000000", + "RecordType": "15", + "ResultStatus": "Succeeded", + "SupportTicketId": "", "Target": [ { - "Type": 0, - "ID": "Unknown" + "ID": "00000003-0000-0000-c000-000000000000", + "Type": 0 } ], - "RecordType": "15", - "ModifiedProperties": {}, - "Version": "1", - "SupportTicketId": "", "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ - { - "Type": 0, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" - }, - { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" - }, - { - "Type": 3, - "ID": "1003200096971F55" - } - ], - "CreationTime": "2020-02-09T15:28:51", - "InterSystemsId": "c5874ff2-7c53-4d51-9252-7abbf0524b1c", - "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-09T15:28:51.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:48:58.934218821Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:28:51\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"abbf584f-b3a9-4b6d-9b37-4cc4b802ca4d\",\"InterSystemsId\":\"c5874ff2-7c53-4d51-9252-7abbf0524b1c\",\"IntraSystemId\":\"3188aef9-6b4e-44f2-8455-c28b49552200\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectoryStsLogon", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "UserLoggedIn", - "id": "abbf584f-b3a9-4b6d-9b37-4cc4b802ca4d", - "type": [ - "info", - "start", - "authentication_success" - ], - "category": [ - "web", - "authentication" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", + "domain": "testsiem.onmicrosoft.com", "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr" }, "user_agent": { + "device": { + "name": "Mac" + }, "name": "Firefox", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "os": { + "full": "Mac OS X 10.14", "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" + "version": "10.14" }, "version": "72.0." } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-09T15:28:51.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "UserLoggedIn", + "category": [ + "web", + "authentication" + ], + "code": "AzureActiveDirectoryStsLogon", + "id": "abbf584f-b3a9-4b6d-9b37-4cc4b802ca4d", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:28:51\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"abbf584f-b3a9-4b6d-9b37-4cc4b802ca4d\",\"InterSystemsId\":\"c5874ff2-7c53-4d51-9252-7abbf0524b1c\",\"IntraSystemId\":\"3188aef9-6b4e-44f2-8455-c28b49552200\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info", + "start", + "authentication_success" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "00000003-0000-0000-c000-000000000000", - "ResultStatus": "Succeeded", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.15", + "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-09T15:28:51", "ExtendedProperties": { "KeepMeSignedIn": "True", + "RequestType": "OAuth2:Authorize", "ResultStatusDetail": "Redirect", - "UserAuthenticationMethod": "9", - "RequestType": "OAuth2:Authorize" + "UserAuthenticationMethod": "9" }, - "IntraSystemId": "23f53edd-63a7-4292-9d80-4fbc49c11e00", + "InterSystemsId": "c5874ff2-7c53-4d51-9252-7abbf0524b1c", + "IntraSystemId": "3188aef9-6b4e-44f2-8455-c28b49552200", + "ModifiedProperties": {}, + "ObjectId": "Unknown", + "RecordType": "15", + "ResultStatus": "Succeeded", + "SupportTicketId": "", "Target": [ { - "Type": 0, - "ID": "00000003-0000-0000-c000-000000000000" + "ID": "Unknown", + "Type": 0 } ], - "RecordType": "15", - "ModifiedProperties": {}, - "Version": "1", - "SupportTicketId": "", "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ - { - "Type": 0, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" - }, - { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" - }, - { - "Type": 3, - "ID": "1003200096971F55" - } - ], - "CreationTime": "2020-02-09T15:25:21", - "InterSystemsId": "cf2168a1-6537-4ed6-80a5-797c3458180c", - "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-09T15:25:21.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "source": { + "ip": "67.43.156.15" }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr" }, + "user_agent": { + "device": { + "name": "Mac" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "os": { + "full": "Mac OS X 10.14", + "name": "Mac OS X", + "version": "10.14" + }, + "version": "72.0." + } + }, + { + "@timestamp": "2020-02-09T15:25:21.000Z", "client": { "address": "67.43.156.15", "ip": "67.43.156.15" }, + "ecs": { + "version": "8.0.0" + }, "event": { - "ingested": "2022-01-02T03:48:58.934219845Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:25:21\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"d137a5e4-7004-493a-acca-5fb167d1f207\",\"InterSystemsId\":\"cf2168a1-6537-4ed6-80a5-797c3458180c\",\"IntraSystemId\":\"23f53edd-63a7-4292-9d80-4fbc49c11e00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectoryStsLogon", - "provider": "AzureActiveDirectory", - "kind": "event", "action": "UserLoggedIn", + "category": [ + "web", + "authentication" + ], + "code": "AzureActiveDirectoryStsLogon", "id": "d137a5e4-7004-493a-acca-5fb167d1f207", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:25:21\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"d137a5e4-7004-493a-acca-5fb167d1f207\",\"InterSystemsId\":\"cf2168a1-6537-4ed6-80a5-797c3458180c\",\"IntraSystemId\":\"23f53edd-63a7-4292-9d80-4fbc49c11e00\",\"ModifiedProperties\":[],\"ObjectId\":\"00000003-0000-0000-c000-000000000000\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", "type": [ "info", "start", "authentication_success" - ], - "category": [ - "web", - "authentication" - ], - "outcome": "success" - }, - "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" + ] }, - "user_agent": { - "name": "Firefox", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", - "os": { - "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" - }, - "version": "72.0." - } - }, - { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, - "ip": "67.43.156.13" + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, - "tags": [ - "preserve_original_event" - ], "network": { "type": "ipv4" }, "o365": { "audit": { + "Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "ActorIpAddress": "67.43.156.15", + "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "AzureActiveDirectoryEventType": "1", - "ObjectId": "Unknown", - "ResultStatus": "Succeeded", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "67.43.156.13", + "CreationTime": "2020-02-09T15:25:21", "ExtendedProperties": { - "KeepMeSignedIn": "False", + "KeepMeSignedIn": "True", + "RequestType": "OAuth2:Authorize", "ResultStatusDetail": "Redirect", - "UserAuthenticationMethod": "9", - "RequestType": "OAuth2:Authorize" + "UserAuthenticationMethod": "9" }, - "IntraSystemId": "1fa4819f-605a-4ebe-a2c3-bc11c3f8e200", + "InterSystemsId": "cf2168a1-6537-4ed6-80a5-797c3458180c", + "IntraSystemId": "23f53edd-63a7-4292-9d80-4fbc49c11e00", + "ModifiedProperties": {}, + "ObjectId": "00000003-0000-0000-c000-000000000000", + "RecordType": "15", + "ResultStatus": "Succeeded", + "SupportTicketId": "", "Target": [ { - "Type": 0, - "ID": "Unknown" + "ID": "00000003-0000-0000-c000-000000000000", + "Type": 0 } ], - "RecordType": "15", - "ModifiedProperties": {}, - "Version": "1", - "SupportTicketId": "", "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ - { - "Type": 0, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" - }, - { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" - }, - { - "Type": 3, - "ID": "1003200096971F55" - } - ], - "CreationTime": "2020-02-12T21:38:20", - "InterSystemsId": "d21f6867-0670-4c94-b6fa-bde326fcf3c6", - "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-12T21:38:20.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { + "ip": [ + "67.43.156.15" + ], "user": [ "asr" - ], - "ip": [ - "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.13", - "ip": "67.43.156.13" - }, - "event": { - "ingested": "2022-01-02T03:48:58.934220918Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T21:38:20\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"73f0a2ef-35be-4a71-9545-59d879fc8fb2\",\"InterSystemsId\":\"d21f6867-0670-4c94-b6fa-bde326fcf3c6\",\"IntraSystemId\":\"1fa4819f-605a-4ebe-a2c3-bc11c3f8e200\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectoryStsLogon", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "UserLoggedIn", - "id": "73f0a2ef-35be-4a71-9545-59d879fc8fb2", - "type": [ - "info", - "start", - "authentication_success" - ], - "category": [ - "web", - "authentication" - ], - "outcome": "success" + "source": { + "ip": "67.43.156.15" }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", + "domain": "testsiem.onmicrosoft.com", "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr" }, "user_agent": { + "device": { + "name": "Mac" + }, "name": "Firefox", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "os": { + "full": "Mac OS X 10.14", "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" + "version": "10.14" }, "version": "72.0." } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, - "ip": "67.43.156.15" + "@timestamp": "2020-02-12T21:38:20.000Z", + "client": { + "address": "67.43.156.13", + "ip": "67.43.156.13" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "UserLoggedIn", + "category": [ + "web", + "authentication" + ], + "code": "AzureActiveDirectoryStsLogon", + "id": "73f0a2ef-35be-4a71-9545-59d879fc8fb2", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.13\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.13\",\"CreationTime\":\"2020-02-12T21:38:20\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"False\"}],\"Id\":\"73f0a2ef-35be-4a71-9545-59d879fc8fb2\",\"InterSystemsId\":\"d21f6867-0670-4c94-b6fa-bde326fcf3c6\",\"IntraSystemId\":\"1fa4819f-605a-4ebe-a2c3-bc11c3f8e200\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info", + "start", + "authentication_success" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, - "tags": [ - "preserve_original_event" - ], "network": { "type": "ipv4" }, "o365": { "audit": { + "Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "ActorIpAddress": "67.43.156.13", + "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "AzureActiveDirectoryEventType": "1", - "ObjectId": "Unknown", - "ResultStatus": "Succeeded", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", - "ActorIpAddress": "67.43.156.15", + "CreationTime": "2020-02-12T21:38:20", "ExtendedProperties": { - "KeepMeSignedIn": "True", + "KeepMeSignedIn": "False", + "RequestType": "OAuth2:Authorize", "ResultStatusDetail": "Redirect", - "UserAuthenticationMethod": "9", - "RequestType": "OAuth2:Authorize" + "UserAuthenticationMethod": "9" }, - "IntraSystemId": "f22a3ad7-22e7-4296-a600-e4e9161a6000", + "InterSystemsId": "d21f6867-0670-4c94-b6fa-bde326fcf3c6", + "IntraSystemId": "1fa4819f-605a-4ebe-a2c3-bc11c3f8e200", + "ModifiedProperties": {}, + "ObjectId": "Unknown", + "RecordType": "15", + "ResultStatus": "Succeeded", + "SupportTicketId": "", "Target": [ { - "Type": 0, - "ID": "Unknown" + "ID": "Unknown", + "Type": 0 } ], - "RecordType": "15", - "ModifiedProperties": {}, - "Version": "1", - "SupportTicketId": "", "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ - { - "Type": 0, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" - }, - { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" - }, - { - "Type": 3, - "ID": "1003200096971F55" - } - ], - "CreationTime": "2020-02-07T16:44:02", - "InterSystemsId": "d5effb7f-9d39-4893-90f6-9cfeec7ed1a7", - "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-07T16:44:02.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { + "ip": [ + "67.43.156.13" + ], "user": [ "asr" - ], - "ip": [ - "67.43.156.15" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", - "ip": "67.43.156.15" - }, - "event": { - "ingested": "2022-01-02T03:48:58.934221963Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-07T16:44:02\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"3783acda-5ded-4d69-95b6-3df5344c0ce0\",\"InterSystemsId\":\"d5effb7f-9d39-4893-90f6-9cfeec7ed1a7\",\"IntraSystemId\":\"f22a3ad7-22e7-4296-a600-e4e9161a6000\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectoryStsLogon", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "UserLoggedIn", - "id": "3783acda-5ded-4d69-95b6-3df5344c0ce0", - "type": [ - "info", - "start", - "authentication_success" - ], - "category": [ - "web", - "authentication" - ], - "outcome": "success" + "source": { + "ip": "67.43.156.13" }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", + "domain": "testsiem.onmicrosoft.com", "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr" }, "user_agent": { + "device": { + "name": "Mac" + }, "name": "Firefox", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "os": { + "full": "Mac OS X 10.14", "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" + "version": "10.14" }, "version": "72.0." } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-07T16:44:02.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "UserLoggedIn", + "category": [ + "web", + "authentication" + ], + "code": "AzureActiveDirectoryStsLogon", + "id": "3783acda-5ded-4d69-95b6-3df5344c0ce0", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-07T16:44:02\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"3783acda-5ded-4d69-95b6-3df5344c0ce0\",\"InterSystemsId\":\"d5effb7f-9d39-4893-90f6-9cfeec7ed1a7\",\"IntraSystemId\":\"f22a3ad7-22e7-4296-a600-e4e9161a6000\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info", + "start", + "authentication_success" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "5f09333a-842c-47da-a157-57da27fcbca5", - "ResultStatus": "Succeeded", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.15", + "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-07T16:44:02", "ExtendedProperties": { "KeepMeSignedIn": "True", + "RequestType": "OAuth2:Authorize", "ResultStatusDetail": "Redirect", - "UserAuthenticationMethod": "9", - "RequestType": "OAuth2:Authorize" + "UserAuthenticationMethod": "9" }, - "IntraSystemId": "1dfdb693-18a1-4cff-aa3e-61feaa356100", + "InterSystemsId": "d5effb7f-9d39-4893-90f6-9cfeec7ed1a7", + "IntraSystemId": "f22a3ad7-22e7-4296-a600-e4e9161a6000", + "ModifiedProperties": {}, + "ObjectId": "Unknown", + "RecordType": "15", + "ResultStatus": "Succeeded", + "SupportTicketId": "", "Target": [ { - "Type": 0, - "ID": "5f09333a-842c-47da-a157-57da27fcbca5" + "ID": "Unknown", + "Type": 0 } ], - "RecordType": "15", - "ModifiedProperties": {}, - "Version": "1", - "SupportTicketId": "", "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ - { - "Type": 0, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" - }, - { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" - }, - { - "Type": 3, - "ID": "1003200096971F55" - } - ], - "CreationTime": "2020-02-07T16:44:03", - "InterSystemsId": "d960e058-1adb-4a84-a65b-1a6ce367e323", - "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-07T16:44:03.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:48:58.934222978Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-07T16:44:03\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"f67568b1-64c4-4165-bdd9-16a5b9142eef\",\"InterSystemsId\":\"d960e058-1adb-4a84-a65b-1a6ce367e323\",\"IntraSystemId\":\"1dfdb693-18a1-4cff-aa3e-61feaa356100\",\"ModifiedProperties\":[],\"ObjectId\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectoryStsLogon", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "UserLoggedIn", - "id": "f67568b1-64c4-4165-bdd9-16a5b9142eef", - "type": [ - "info", - "start", - "authentication_success" - ], - "category": [ - "web", - "authentication" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", + "domain": "testsiem.onmicrosoft.com", "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr" }, "user_agent": { + "device": { + "name": "Mac" + }, "name": "Firefox", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "os": { + "full": "Mac OS X 10.14", "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" + "version": "10.14" }, "version": "72.0." } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-07T16:44:03.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "UserLoggedIn", + "category": [ + "web", + "authentication" + ], + "code": "AzureActiveDirectoryStsLogon", + "id": "f67568b1-64c4-4165-bdd9-16a5b9142eef", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-07T16:44:03\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"f67568b1-64c4-4165-bdd9-16a5b9142eef\",\"InterSystemsId\":\"d960e058-1adb-4a84-a65b-1a6ce367e323\",\"IntraSystemId\":\"1dfdb693-18a1-4cff-aa3e-61feaa356100\",\"ModifiedProperties\":[],\"ObjectId\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info", + "start", + "authentication_success" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "5f09333a-842c-47da-a157-57da27fcbca5", - "ResultStatus": "Succeeded", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.15", + "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-07T16:44:03", "ExtendedProperties": { "KeepMeSignedIn": "True", + "RequestType": "OAuth2:Authorize", "ResultStatusDetail": "Redirect", - "UserAuthenticationMethod": "9", - "RequestType": "OAuth2:Authorize" + "UserAuthenticationMethod": "9" }, - "IntraSystemId": "21166e08-6589-4c2d-a325-c97ba45f2200", + "InterSystemsId": "d960e058-1adb-4a84-a65b-1a6ce367e323", + "IntraSystemId": "1dfdb693-18a1-4cff-aa3e-61feaa356100", + "ModifiedProperties": {}, + "ObjectId": "5f09333a-842c-47da-a157-57da27fcbca5", + "RecordType": "15", + "ResultStatus": "Succeeded", + "SupportTicketId": "", "Target": [ { - "Type": 0, - "ID": "5f09333a-842c-47da-a157-57da27fcbca5" + "ID": "5f09333a-842c-47da-a157-57da27fcbca5", + "Type": 0 } ], - "RecordType": "15", - "ModifiedProperties": {}, - "Version": "1", - "SupportTicketId": "", "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ - { - "Type": 0, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" - }, - { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" - }, - { - "Type": 3, - "ID": "1003200096971F55" - } - ], - "CreationTime": "2020-02-09T15:29:02", - "InterSystemsId": "e2565aaf-91b0-4ccd-8810-743123eb7383", - "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-09T15:29:02.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "source": { + "ip": "67.43.156.15" }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr" }, + "user_agent": { + "device": { + "name": "Mac" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", + "os": { + "full": "Mac OS X 10.14", + "name": "Mac OS X", + "version": "10.14" + }, + "version": "72.0." + } + }, + { + "@timestamp": "2020-02-09T15:29:02.000Z", "client": { "address": "67.43.156.15", "ip": "67.43.156.15" }, + "ecs": { + "version": "8.0.0" + }, "event": { - "ingested": "2022-01-02T03:48:58.934224Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:29:02\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"a8114a24-d342-4689-b75e-51e6386763de\",\"InterSystemsId\":\"e2565aaf-91b0-4ccd-8810-743123eb7383\",\"IntraSystemId\":\"21166e08-6589-4c2d-a325-c97ba45f2200\",\"ModifiedProperties\":[],\"ObjectId\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectoryStsLogon", - "provider": "AzureActiveDirectory", - "kind": "event", "action": "UserLoggedIn", + "category": [ + "web", + "authentication" + ], + "code": "AzureActiveDirectoryStsLogon", "id": "a8114a24-d342-4689-b75e-51e6386763de", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:29:02\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"a8114a24-d342-4689-b75e-51e6386763de\",\"InterSystemsId\":\"e2565aaf-91b0-4ccd-8810-743123eb7383\",\"IntraSystemId\":\"21166e08-6589-4c2d-a325-c97ba45f2200\",\"ModifiedProperties\":[],\"ObjectId\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", "type": [ "info", "start", "authentication_success" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, + "network": { + "type": "ipv4" + }, + "o365": { + "audit": { + "Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "ActorIpAddress": "67.43.156.15", + "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-09T15:29:02", + "ExtendedProperties": { + "KeepMeSignedIn": "True", + "RequestType": "OAuth2:Authorize", + "ResultStatusDetail": "Redirect", + "UserAuthenticationMethod": "9" + }, + "InterSystemsId": "e2565aaf-91b0-4ccd-8810-743123eb7383", + "IntraSystemId": "21166e08-6589-4c2d-a325-c97ba45f2200", + "ModifiedProperties": {}, + "ObjectId": "5f09333a-842c-47da-a157-57da27fcbca5", + "RecordType": "15", + "ResultStatus": "Succeeded", + "SupportTicketId": "", + "Target": [ + { + "ID": "5f09333a-842c-47da-a157-57da27fcbca5", + "Type": 0 + } + ], + "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "UserType": "0", + "Version": "1" + } + }, + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, + "related": { + "ip": [ + "67.43.156.15" ], - "category": [ - "web", - "authentication" - ], - "outcome": "success" + "user": [ + "asr" + ] }, + "source": { + "ip": "67.43.156.15" + }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", + "domain": "testsiem.onmicrosoft.com", "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr" }, "user_agent": { + "device": { + "name": "Mac" + }, "name": "Firefox", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "os": { + "full": "Mac OS X 10.14", "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" + "version": "10.14" }, "version": "72.0." } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-09T15:25:21.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "UserLoggedIn", + "category": [ + "web", + "authentication" + ], + "code": "AzureActiveDirectoryStsLogon", + "id": "1eaf9c65-8c67-4cd9-9277-771589113752", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:25:21\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"1eaf9c65-8c67-4cd9-9277-771589113752\",\"InterSystemsId\":\"ede626b9-2035-4d02-8330-201c4ae82af6\",\"IntraSystemId\":\"98612804-9aa6-40a4-b72a-808bc7742000\",\"ModifiedProperties\":[],\"ObjectId\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info", + "start", + "authentication_success" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "5f09333a-842c-47da-a157-57da27fcbca5", - "ResultStatus": "Succeeded", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.15", + "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-09T15:25:21", "ExtendedProperties": { "KeepMeSignedIn": "True", + "RequestType": "OAuth2:Authorize", "ResultStatusDetail": "Redirect", - "UserAuthenticationMethod": "9", - "RequestType": "OAuth2:Authorize" + "UserAuthenticationMethod": "9" }, + "InterSystemsId": "ede626b9-2035-4d02-8330-201c4ae82af6", "IntraSystemId": "98612804-9aa6-40a4-b72a-808bc7742000", + "ModifiedProperties": {}, + "ObjectId": "5f09333a-842c-47da-a157-57da27fcbca5", + "RecordType": "15", + "ResultStatus": "Succeeded", + "SupportTicketId": "", "Target": [ { - "Type": 0, - "ID": "5f09333a-842c-47da-a157-57da27fcbca5" + "ID": "5f09333a-842c-47da-a157-57da27fcbca5", + "Type": 0 } ], - "RecordType": "15", - "ModifiedProperties": {}, - "Version": "1", - "SupportTicketId": "", "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ - { - "Type": 0, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" - }, - { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" - }, - { - "Type": 3, - "ID": "1003200096971F55" - } - ], - "CreationTime": "2020-02-09T15:25:21", - "InterSystemsId": "ede626b9-2035-4d02-8330-201c4ae82af6", - "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-09T15:25:21.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:48:58.934225061Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-09T15:25:21\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"1eaf9c65-8c67-4cd9-9277-771589113752\",\"InterSystemsId\":\"ede626b9-2035-4d02-8330-201c4ae82af6\",\"IntraSystemId\":\"98612804-9aa6-40a4-b72a-808bc7742000\",\"ModifiedProperties\":[],\"ObjectId\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"5f09333a-842c-47da-a157-57da27fcbca5\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectoryStsLogon", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "UserLoggedIn", - "id": "1eaf9c65-8c67-4cd9-9277-771589113752", - "type": [ - "info", - "start", - "authentication_success" - ], - "category": [ - "web", - "authentication" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", + "domain": "testsiem.onmicrosoft.com", "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr" }, "user_agent": { + "device": { + "name": "Mac" + }, "name": "Firefox", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "os": { + "full": "Mac OS X 10.14", "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" + "version": "10.14" }, "version": "72.0." } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-07T16:43:39.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "UserLoggedIn", + "category": [ + "web", + "authentication" + ], + "code": "AzureActiveDirectoryStsLogon", + "id": "3c439e46-d454-4767-9320-1e75540821b7", + "kind": "event", + "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-07T16:43:39\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"3c439e46-d454-4767-9320-1e75540821b7\",\"InterSystemsId\":\"fc5c6c90-a6ba-486c-b685-8d67c529d3aa\",\"IntraSystemId\":\"6e184f6f-887b-4410-b24d-723031366000\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info", + "start", + "authentication_success" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "Unknown", - "ResultStatus": "Succeeded", - "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", + "Actor": [ + { + "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", + "Type": 0 + }, + { + "ID": "asr@testsiem.onmicrosoft.com", + "Type": 5 + }, + { + "ID": "1003200096971F55", + "Type": 3 + } + ], + "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "ActorIpAddress": "67.43.156.15", + "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2020-02-07T16:43:39", "ExtendedProperties": { "KeepMeSignedIn": "True", + "RequestType": "OAuth2:Authorize", "ResultStatusDetail": "Redirect", - "UserAuthenticationMethod": "9", - "RequestType": "OAuth2:Authorize" + "UserAuthenticationMethod": "9" }, + "InterSystemsId": "fc5c6c90-a6ba-486c-b685-8d67c529d3aa", "IntraSystemId": "6e184f6f-887b-4410-b24d-723031366000", + "ModifiedProperties": {}, + "ObjectId": "Unknown", + "RecordType": "15", + "ResultStatus": "Succeeded", + "SupportTicketId": "", "Target": [ { - "Type": 0, - "ID": "Unknown" + "ID": "Unknown", + "Type": 0 } ], - "RecordType": "15", - "ModifiedProperties": {}, - "Version": "1", - "SupportTicketId": "", "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "asr@testsiem.onmicrosoft.com", - "Actor": [ - { - "Type": 0, - "ID": "755e500a-6c03-46b0-b53b-282f23374e3b" - }, - { - "Type": 5, - "ID": "asr@testsiem.onmicrosoft.com" - }, - { - "Type": 3, - "ID": "1003200096971F55" - } - ], - "CreationTime": "2020-02-07T16:43:39", - "InterSystemsId": "fc5c6c90-a6ba-486c-b685-8d67c529d3aa", - "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "UserType": "0", - "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "Version": "1" } }, - "@timestamp": "2020-02-07T16:43:39.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:48:58.934226079Z", - "original": "{\"Actor\":[{\"ID\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"Type\":0},{\"ID\":\"asr@testsiem.onmicrosoft.com\",\"Type\":5},{\"ID\":\"1003200096971F55\",\"Type\":3}],\"ActorContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ActorIpAddress\":\"67.43.156.15\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"AzureActiveDirectoryEventType\":1,\"ClientIP\":\"67.43.156.15\",\"CreationTime\":\"2020-02-07T16:43:39\",\"ExtendedProperties\":[{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"9\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"},{\"Name\":\"ResultStatusDetail\",\"Value\":\"Redirect\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"True\"}],\"Id\":\"3c439e46-d454-4767-9320-1e75540821b7\",\"InterSystemsId\":\"fc5c6c90-a6ba-486c-b685-8d67c529d3aa\",\"IntraSystemId\":\"6e184f6f-887b-4410-b24d-723031366000\",\"ModifiedProperties\":[],\"ObjectId\":\"Unknown\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":15,\"ResultStatus\":\"Succeeded\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"1003200096971F55@testsiem.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\"}", - "code": "AzureActiveDirectoryStsLogon", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "UserLoggedIn", - "id": "3c439e46-d454-4767-9320-1e75540821b7", - "type": [ - "info", - "start", - "authentication_success" - ], - "category": [ - "web", - "authentication" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", + "domain": "testsiem.onmicrosoft.com", "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr" }, "user_agent": { + "device": { + "name": "Mac" + }, "name": "Firefox", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "os": { + "full": "Mac OS X 10.14", "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" + "version": "10.14" }, "version": "72.0." } diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-common-config.yml b/packages/o365/data_stream/audit/_dev/test/pipeline/test-common-config.yml index cebdd1f4aa6..eaf2d678a27 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-common-config.yml +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-common-config.yml @@ -1,5 +1,3 @@ -dynamic_fields: - event.ingested: ".*" fields: "@timestamp": "2020-04-28T11:07:58.223Z" "_conf": diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-data-insights-api-events.json-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-data-insights-api-events.json-expected.json index 165745939f9..6a42f816154 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-data-insights-api-events.json-expected.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-data-insights-api-events.json-expected.json @@ -1,427 +1,418 @@ { "expected": [ { - "o365": { - "audit": { - "RecordType": "52", - "Version": "1", - "UserId": "Service Account", - "UserKey": "Service Account", - "CreationTime": "2020-02-10T15:13:38", - "DataType": "DataInsightsSubscription", - "UserType": "5" - } - }, "@timestamp": "2020-02-10T15:13:38.000Z", "ecs": { "version": "8.0.0" }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, "event": { - "ingested": "2022-01-02T03:49:45.796854370Z", - "original": "{\"CreationTime\":\"2020-02-10T15:13:38\",\"DataType\":\"DataInsightsSubscription\",\"Id\":\"20a7bbcf-8e64-4e60-b075-08d7ae3bcea0\",\"Operation\":\"SearchDataInsightsSubscription\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":52,\"UserId\":\"Service Account\",\"UserKey\":\"Service Account\",\"UserType\":5,\"Version\":1,\"Workload\":\"SecurityComplianceCenter\"}", - "code": "DataInsightsRestApiAudit", - "provider": "SecurityComplianceCenter", - "kind": "event", "action": "SearchDataInsightsSubscription", - "id": "20a7bbcf-8e64-4e60-b075-08d7ae3bcea0", - "type": [ - "info" - ], "category": [ "web" ], - "outcome": "success" + "code": "DataInsightsRestApiAudit", + "id": "20a7bbcf-8e64-4e60-b075-08d7ae3bcea0", + "kind": "event", + "original": "{\"CreationTime\":\"2020-02-10T15:13:38\",\"DataType\":\"DataInsightsSubscription\",\"Id\":\"20a7bbcf-8e64-4e60-b075-08d7ae3bcea0\",\"Operation\":\"SearchDataInsightsSubscription\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":52,\"UserId\":\"Service Account\",\"UserKey\":\"Service Account\",\"UserType\":5,\"Version\":1,\"Workload\":\"SecurityComplianceCenter\"}", + "outcome": "success", + "provider": "SecurityComplianceCenter", + "type": [ + "info" + ] }, - "user": { - "id": "Service Account" + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, - "tags": [ - "preserve_original_event" - ] - }, - { "o365": { "audit": { + "CreationTime": "2020-02-10T15:13:38", + "DataType": "DataInsightsSubscription", "RecordType": "52", - "Version": "1", "UserId": "Service Account", "UserKey": "Service Account", - "CreationTime": "2020-02-12T21:38:38", - "DataType": "DataInsightsSubscription", - "UserType": "5" + "UserType": "5", + "Version": "1" } }, + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "id": "Service Account" + } + }, + { "@timestamp": "2020-02-12T21:38:38.000Z", "ecs": { "version": "8.0.0" }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, "event": { - "ingested": "2022-01-02T03:49:45.796856916Z", - "original": "{\"CreationTime\":\"2020-02-12T21:38:38\",\"DataType\":\"DataInsightsSubscription\",\"Id\":\"0ff67168-de8c-45fb-3f7d-08d7b003ebdc\",\"Operation\":\"SearchDataInsightsSubscription\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":52,\"UserId\":\"Service Account\",\"UserKey\":\"Service Account\",\"UserType\":5,\"Version\":1,\"Workload\":\"SecurityComplianceCenter\"}", - "code": "DataInsightsRestApiAudit", - "provider": "SecurityComplianceCenter", - "kind": "event", "action": "SearchDataInsightsSubscription", - "id": "0ff67168-de8c-45fb-3f7d-08d7b003ebdc", - "type": [ - "info" - ], "category": [ "web" ], - "outcome": "success" + "code": "DataInsightsRestApiAudit", + "id": "0ff67168-de8c-45fb-3f7d-08d7b003ebdc", + "kind": "event", + "original": "{\"CreationTime\":\"2020-02-12T21:38:38\",\"DataType\":\"DataInsightsSubscription\",\"Id\":\"0ff67168-de8c-45fb-3f7d-08d7b003ebdc\",\"Operation\":\"SearchDataInsightsSubscription\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":52,\"UserId\":\"Service Account\",\"UserKey\":\"Service Account\",\"UserType\":5,\"Version\":1,\"Workload\":\"SecurityComplianceCenter\"}", + "outcome": "success", + "provider": "SecurityComplianceCenter", + "type": [ + "info" + ] }, - "user": { - "id": "Service Account" + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, - "tags": [ - "preserve_original_event" - ] - }, - { "o365": { "audit": { + "CreationTime": "2020-02-12T21:38:38", + "DataType": "DataInsightsSubscription", "RecordType": "52", - "Version": "1", "UserId": "Service Account", "UserKey": "Service Account", - "CreationTime": "2020-02-10T15:13:38", - "DataType": "DataInsightsSubscription", - "UserType": "5" + "UserType": "5", + "Version": "1" } }, + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "id": "Service Account" + } + }, + { "@timestamp": "2020-02-10T15:13:38.000Z", "ecs": { "version": "8.0.0" }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, "event": { - "ingested": "2022-01-02T03:49:45.796857886Z", - "original": "{\"CreationTime\":\"2020-02-10T15:13:38\",\"DataType\":\"DataInsightsSubscription\",\"Id\":\"20a7bbcf-8e64-4e60-b075-08d7ae3bcea0\",\"Operation\":\"SearchDataInsightsSubscription\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":52,\"UserId\":\"Service Account\",\"UserKey\":\"Service Account\",\"UserType\":5,\"Version\":1,\"Workload\":\"SecurityComplianceCenter\"}", - "code": "DataInsightsRestApiAudit", - "provider": "SecurityComplianceCenter", - "kind": "event", "action": "SearchDataInsightsSubscription", - "id": "20a7bbcf-8e64-4e60-b075-08d7ae3bcea0", - "type": [ - "info" - ], "category": [ "web" ], - "outcome": "success" + "code": "DataInsightsRestApiAudit", + "id": "20a7bbcf-8e64-4e60-b075-08d7ae3bcea0", + "kind": "event", + "original": "{\"CreationTime\":\"2020-02-10T15:13:38\",\"DataType\":\"DataInsightsSubscription\",\"Id\":\"20a7bbcf-8e64-4e60-b075-08d7ae3bcea0\",\"Operation\":\"SearchDataInsightsSubscription\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":52,\"UserId\":\"Service Account\",\"UserKey\":\"Service Account\",\"UserType\":5,\"Version\":1,\"Workload\":\"SecurityComplianceCenter\"}", + "outcome": "success", + "provider": "SecurityComplianceCenter", + "type": [ + "info" + ] }, - "user": { - "id": "Service Account" + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, - "tags": [ - "preserve_original_event" - ] - }, - { "o365": { "audit": { + "CreationTime": "2020-02-10T15:13:38", + "DataType": "DataInsightsSubscription", "RecordType": "52", - "Version": "1", "UserId": "Service Account", "UserKey": "Service Account", - "CreationTime": "2020-02-12T10:53:26", - "DataType": "DataInsightsSubscription", - "UserType": "5" + "UserType": "5", + "Version": "1" } }, + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "id": "Service Account" + } + }, + { "@timestamp": "2020-02-12T10:53:26.000Z", "ecs": { "version": "8.0.0" }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, "event": { - "ingested": "2022-01-02T03:49:45.796858775Z", - "original": "{\"CreationTime\":\"2020-02-12T10:53:26\",\"DataType\":\"DataInsightsSubscription\",\"Id\":\"3b492d08-23a8-4e65-75ea-08d7afa9c9a2\",\"Operation\":\"SearchDataInsightsSubscription\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":52,\"UserId\":\"Service Account\",\"UserKey\":\"Service Account\",\"UserType\":5,\"Version\":1,\"Workload\":\"SecurityComplianceCenter\"}", - "code": "DataInsightsRestApiAudit", - "provider": "SecurityComplianceCenter", - "kind": "event", "action": "SearchDataInsightsSubscription", - "id": "3b492d08-23a8-4e65-75ea-08d7afa9c9a2", - "type": [ - "info" - ], "category": [ "web" ], - "outcome": "success" + "code": "DataInsightsRestApiAudit", + "id": "3b492d08-23a8-4e65-75ea-08d7afa9c9a2", + "kind": "event", + "original": "{\"CreationTime\":\"2020-02-12T10:53:26\",\"DataType\":\"DataInsightsSubscription\",\"Id\":\"3b492d08-23a8-4e65-75ea-08d7afa9c9a2\",\"Operation\":\"SearchDataInsightsSubscription\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":52,\"UserId\":\"Service Account\",\"UserKey\":\"Service Account\",\"UserType\":5,\"Version\":1,\"Workload\":\"SecurityComplianceCenter\"}", + "outcome": "success", + "provider": "SecurityComplianceCenter", + "type": [ + "info" + ] }, - "user": { - "id": "Service Account" + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, - "tags": [ - "preserve_original_event" - ] - }, - { "o365": { "audit": { + "CreationTime": "2020-02-12T10:53:26", + "DataType": "DataInsightsSubscription", "RecordType": "52", - "Version": "1", "UserId": "Service Account", "UserKey": "Service Account", - "CreationTime": "2020-02-12T21:38:38", - "DataType": "DataInsightsSubscription", - "UserType": "5" + "UserType": "5", + "Version": "1" } }, + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "id": "Service Account" + } + }, + { "@timestamp": "2020-02-12T21:38:38.000Z", "ecs": { "version": "8.0.0" }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, "event": { - "ingested": "2022-01-02T03:49:45.796859674Z", - "original": "{\"CreationTime\":\"2020-02-12T21:38:38\",\"DataType\":\"DataInsightsSubscription\",\"Id\":\"0ff67168-de8c-45fb-3f7d-08d7b003ebdc\",\"Operation\":\"SearchDataInsightsSubscription\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":52,\"UserId\":\"Service Account\",\"UserKey\":\"Service Account\",\"UserType\":5,\"Version\":1,\"Workload\":\"SecurityComplianceCenter\"}", - "code": "DataInsightsRestApiAudit", - "provider": "SecurityComplianceCenter", - "kind": "event", "action": "SearchDataInsightsSubscription", - "id": "0ff67168-de8c-45fb-3f7d-08d7b003ebdc", - "type": [ - "info" - ], "category": [ "web" ], - "outcome": "success" + "code": "DataInsightsRestApiAudit", + "id": "0ff67168-de8c-45fb-3f7d-08d7b003ebdc", + "kind": "event", + "original": "{\"CreationTime\":\"2020-02-12T21:38:38\",\"DataType\":\"DataInsightsSubscription\",\"Id\":\"0ff67168-de8c-45fb-3f7d-08d7b003ebdc\",\"Operation\":\"SearchDataInsightsSubscription\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":52,\"UserId\":\"Service Account\",\"UserKey\":\"Service Account\",\"UserType\":5,\"Version\":1,\"Workload\":\"SecurityComplianceCenter\"}", + "outcome": "success", + "provider": "SecurityComplianceCenter", + "type": [ + "info" + ] }, - "user": { - "id": "Service Account" + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, - "tags": [ - "preserve_original_event" - ] - }, - { "o365": { "audit": { + "CreationTime": "2020-02-12T21:38:38", + "DataType": "DataInsightsSubscription", "RecordType": "52", - "Version": "1", "UserId": "Service Account", "UserKey": "Service Account", - "CreationTime": "2020-02-12T10:53:26", - "DataType": "DataInsightsSubscription", - "UserType": "5" + "UserType": "5", + "Version": "1" } }, + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "id": "Service Account" + } + }, + { "@timestamp": "2020-02-12T10:53:26.000Z", "ecs": { "version": "8.0.0" }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, "event": { - "ingested": "2022-01-02T03:49:45.796860559Z", - "original": "{\"CreationTime\":\"2020-02-12T10:53:26\",\"DataType\":\"DataInsightsSubscription\",\"Id\":\"3b492d08-23a8-4e65-75ea-08d7afa9c9a2\",\"Operation\":\"SearchDataInsightsSubscription\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":52,\"UserId\":\"Service Account\",\"UserKey\":\"Service Account\",\"UserType\":5,\"Version\":1,\"Workload\":\"SecurityComplianceCenter\"}", - "code": "DataInsightsRestApiAudit", - "provider": "SecurityComplianceCenter", - "kind": "event", "action": "SearchDataInsightsSubscription", - "id": "3b492d08-23a8-4e65-75ea-08d7afa9c9a2", - "type": [ - "info" - ], "category": [ "web" ], - "outcome": "success" + "code": "DataInsightsRestApiAudit", + "id": "3b492d08-23a8-4e65-75ea-08d7afa9c9a2", + "kind": "event", + "original": "{\"CreationTime\":\"2020-02-12T10:53:26\",\"DataType\":\"DataInsightsSubscription\",\"Id\":\"3b492d08-23a8-4e65-75ea-08d7afa9c9a2\",\"Operation\":\"SearchDataInsightsSubscription\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":52,\"UserId\":\"Service Account\",\"UserKey\":\"Service Account\",\"UserType\":5,\"Version\":1,\"Workload\":\"SecurityComplianceCenter\"}", + "outcome": "success", + "provider": "SecurityComplianceCenter", + "type": [ + "info" + ] }, - "user": { - "id": "Service Account" + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, - "tags": [ - "preserve_original_event" - ] - }, - { "o365": { "audit": { + "CreationTime": "2020-02-12T10:53:26", + "DataType": "DataInsightsSubscription", "RecordType": "52", - "Version": "1", "UserId": "Service Account", "UserKey": "Service Account", - "CreationTime": "2020-02-10T15:13:38", - "DataType": "DataInsightsSubscription", - "UserType": "5" + "UserType": "5", + "Version": "1" } }, + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "id": "Service Account" + } + }, + { "@timestamp": "2020-02-10T15:13:38.000Z", "ecs": { "version": "8.0.0" }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, "event": { - "ingested": "2022-01-02T03:49:45.796861414Z", - "original": "{\"CreationTime\":\"2020-02-10T15:13:38\",\"DataType\":\"DataInsightsSubscription\",\"Id\":\"20a7bbcf-8e64-4e60-b075-08d7ae3bcea0\",\"Operation\":\"SearchDataInsightsSubscription\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":52,\"UserId\":\"Service Account\",\"UserKey\":\"Service Account\",\"UserType\":5,\"Version\":1,\"Workload\":\"SecurityComplianceCenter\"}", - "code": "DataInsightsRestApiAudit", - "provider": "SecurityComplianceCenter", - "kind": "event", "action": "SearchDataInsightsSubscription", - "id": "20a7bbcf-8e64-4e60-b075-08d7ae3bcea0", - "type": [ - "info" - ], "category": [ "web" ], - "outcome": "success" + "code": "DataInsightsRestApiAudit", + "id": "20a7bbcf-8e64-4e60-b075-08d7ae3bcea0", + "kind": "event", + "original": "{\"CreationTime\":\"2020-02-10T15:13:38\",\"DataType\":\"DataInsightsSubscription\",\"Id\":\"20a7bbcf-8e64-4e60-b075-08d7ae3bcea0\",\"Operation\":\"SearchDataInsightsSubscription\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":52,\"UserId\":\"Service Account\",\"UserKey\":\"Service Account\",\"UserType\":5,\"Version\":1,\"Workload\":\"SecurityComplianceCenter\"}", + "outcome": "success", + "provider": "SecurityComplianceCenter", + "type": [ + "info" + ] }, - "user": { - "id": "Service Account" + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, - "tags": [ - "preserve_original_event" - ] - }, - { "o365": { "audit": { + "CreationTime": "2020-02-10T15:13:38", + "DataType": "DataInsightsSubscription", "RecordType": "52", - "Version": "1", "UserId": "Service Account", "UserKey": "Service Account", - "CreationTime": "2020-02-12T10:53:26", - "DataType": "DataInsightsSubscription", - "UserType": "5" + "UserType": "5", + "Version": "1" } }, + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "id": "Service Account" + } + }, + { "@timestamp": "2020-02-12T10:53:26.000Z", "ecs": { "version": "8.0.0" }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, "event": { - "ingested": "2022-01-02T03:49:45.796862257Z", - "original": "{\"CreationTime\":\"2020-02-12T10:53:26\",\"DataType\":\"DataInsightsSubscription\",\"Id\":\"3b492d08-23a8-4e65-75ea-08d7afa9c9a2\",\"Operation\":\"SearchDataInsightsSubscription\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":52,\"UserId\":\"Service Account\",\"UserKey\":\"Service Account\",\"UserType\":5,\"Version\":1,\"Workload\":\"SecurityComplianceCenter\"}", - "code": "DataInsightsRestApiAudit", - "provider": "SecurityComplianceCenter", - "kind": "event", "action": "SearchDataInsightsSubscription", - "id": "3b492d08-23a8-4e65-75ea-08d7afa9c9a2", - "type": [ - "info" - ], "category": [ "web" ], - "outcome": "success" + "code": "DataInsightsRestApiAudit", + "id": "3b492d08-23a8-4e65-75ea-08d7afa9c9a2", + "kind": "event", + "original": "{\"CreationTime\":\"2020-02-12T10:53:26\",\"DataType\":\"DataInsightsSubscription\",\"Id\":\"3b492d08-23a8-4e65-75ea-08d7afa9c9a2\",\"Operation\":\"SearchDataInsightsSubscription\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":52,\"UserId\":\"Service Account\",\"UserKey\":\"Service Account\",\"UserType\":5,\"Version\":1,\"Workload\":\"SecurityComplianceCenter\"}", + "outcome": "success", + "provider": "SecurityComplianceCenter", + "type": [ + "info" + ] }, - "user": { - "id": "Service Account" + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, - "tags": [ - "preserve_original_event" - ] - }, - { "o365": { "audit": { + "CreationTime": "2020-02-12T10:53:26", + "DataType": "DataInsightsSubscription", "RecordType": "52", - "Version": "1", "UserId": "Service Account", "UserKey": "Service Account", - "CreationTime": "2020-02-12T21:38:38", - "DataType": "DataInsightsSubscription", - "UserType": "5" + "UserType": "5", + "Version": "1" } }, + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "id": "Service Account" + } + }, + { "@timestamp": "2020-02-12T21:38:38.000Z", "ecs": { "version": "8.0.0" }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, "event": { - "ingested": "2022-01-02T03:49:45.796863112Z", - "original": "{\"CreationTime\":\"2020-02-12T21:38:38\",\"DataType\":\"DataInsightsSubscription\",\"Id\":\"0ff67168-de8c-45fb-3f7d-08d7b003ebdc\",\"Operation\":\"SearchDataInsightsSubscription\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":52,\"UserId\":\"Service Account\",\"UserKey\":\"Service Account\",\"UserType\":5,\"Version\":1,\"Workload\":\"SecurityComplianceCenter\"}", - "code": "DataInsightsRestApiAudit", - "provider": "SecurityComplianceCenter", - "kind": "event", "action": "SearchDataInsightsSubscription", - "id": "0ff67168-de8c-45fb-3f7d-08d7b003ebdc", - "type": [ - "info" - ], "category": [ "web" ], - "outcome": "success" + "code": "DataInsightsRestApiAudit", + "id": "0ff67168-de8c-45fb-3f7d-08d7b003ebdc", + "kind": "event", + "original": "{\"CreationTime\":\"2020-02-12T21:38:38\",\"DataType\":\"DataInsightsSubscription\",\"Id\":\"0ff67168-de8c-45fb-3f7d-08d7b003ebdc\",\"Operation\":\"SearchDataInsightsSubscription\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":52,\"UserId\":\"Service Account\",\"UserKey\":\"Service Account\",\"UserType\":5,\"Version\":1,\"Workload\":\"SecurityComplianceCenter\"}", + "outcome": "success", + "provider": "SecurityComplianceCenter", + "type": [ + "info" + ] }, - "user": { - "id": "Service Account" + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, + "o365": { + "audit": { + "CreationTime": "2020-02-12T21:38:38", + "DataType": "DataInsightsSubscription", + "RecordType": "52", + "UserId": "Service Account", + "UserKey": "Service Account", + "UserType": "5", + "Version": "1" + } + }, + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "tags": [ "preserve_original_event" - ] + ], + "user": { + "id": "Service Account" + } } ] } \ No newline at end of file diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-dlp-exchange-events.json-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-dlp-exchange-events.json-expected.json index deb9ee20010..3563685f8de 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-dlp-exchange-events.json-expected.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-dlp-exchange-events.json-expected.json @@ -1,6 +1,7 @@ { "expected": [ { + "@timestamp": "2020-02-24T20:11:15.000Z", "destination": { "user": { "email": [ @@ -9,49 +10,54 @@ ] } }, - "rule": { - "name": [ - "High volume of content detected test", - "Mid volume of content detected test" + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "DlpRuleMatch", + "category": [ + "web", + "file" ], - "id": [ - "51e3d97a-e159-4645-9092-608bd24e083a", - "51e3d97a-1234-4645-9092-608bd24e083a" + "code": "ComplianceDLPExchange", + "id": "d5a0e7d9-e06f-498c-8413-eb83b7dbd516", + "kind": "alert", + "original": "{\"CreationTime\":\"2020-02-24T20:11:15\",\"ExchangeMetaData\":{\"BCC\":[],\"CC\":[\"asr@example.net\"],\"FileSize\":13405,\"From\":\"asr@testsiem2.onmicrosoft.com\",\"MessageID\":\"\\u003cAM0PR05MB4803CDA6206C2F2FEB36DB5AB8EC0@AM0PR05MB4803.eurprd05.prod.outlook.com\\u003e\",\"RecipientCount\":2,\"Sent\":\"2020-02-24T20:11:14\",\"Subject\":\"Here's the phony data\",\"To\":[\"asr@example.org\"],\"UniqueID\":\"8e103f2f-b293-4062-38b8-08d7b965b2fa\"},\"Id\":\"d5a0e7d9-e06f-498c-8413-eb83b7dbd516\",\"IncidentId\":\"c1dc582b-fa61-6020-1800-08d7b966ec64\",\"ObjectId\":\"\\u003cAM0PR05MB4803CDA6206C2F2FEB36DB5AB8EC0@AM0PR05MB4803.eurprd05.prod.outlook.com\\u003e\",\"Operation\":\"DlpRuleMatch\",\"OrganizationId\":\"0e1dddce-163e-4b0b-9e33-87ba56ac4655\",\"PolicyDetails\":[{\"PolicyId\":\"88956b36-45b3-4828-bf53-78603c0e5f58\",\"PolicyName\":\"test\",\"Rules\":[{\"ActionParameters\":[\"GenerateIncidentReport:asr@testsiem2.onmicrosoft.com\"],\"Actions\":[\"BlockAccess\",\"NotifyUser\",\"GenerateIncidentReport\"],\"ConditionsMatched\":{\"OtherConditions\":[{\"Name\":\"AccessScope\",\"Value\":\"IncludeExternalUsers\"}],\"SensitiveInformation\":[{\"Confidence\":75,\"Count\":1,\"Location\":\"Message Body\",\"SensitiveType\":\"419f449f-6d9d-4be1-a154-b531f7a91b41\",\"UniqueCount\":1},{\"Confidence\":75,\"Count\":1,\"Location\":\"Message Body\",\"SensitiveType\":\"b8fe86d1-c056-453b-bfaa-9fe698699ecc\",\"UniqueCount\":1}]},\"RuleId\":\"51e3d97a-e159-4645-9092-608bd24e083a\",\"RuleMode\":\"Enable\",\"RuleName\":\"High volume of content detected test\",\"Severity\":\"High\"},{\"ActionParameters\":[\"GenerateIncidentReport:asr@testsiem2.onmicrosoft.com\"],\"Actions\":[\"BlockAccess\",\"NotifyUser\",\"GenerateIncidentReport\"],\"ConditionsMatched\":{\"OtherConditions\":[{\"Name\":\"AccessScope\",\"Value\":\"IncludeExternalUsers\"}],\"SensitiveInformation\":[{\"Confidence\":75,\"Count\":1,\"Location\":\"Message Body\",\"SensitiveType\":\"419f449f-6d9d-4be1-a154-b531f7a91b41\",\"UniqueCount\":1},{\"Confidence\":75,\"Count\":1,\"Location\":\"Message Body\",\"SensitiveType\":\"b8fe86d1-c056-453b-bfaa-9fe698699ecc\",\"UniqueCount\":1}]},\"RuleId\":\"51e3d97a-1234-4645-9092-608bd24e083a\",\"RuleMode\":\"Enable\",\"RuleName\":\"Mid volume of content detected test\",\"Severity\":\"Medium\"}]}],\"RecordType\":13,\"SensitiveInfoDetectionIsIncluded\":false,\"UserId\":\"DlpAgent\",\"UserKey\":\"1153801116545789462\",\"UserType\":4,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "failure", + "provider": "Exchange", + "severity": 4, + "type": [ + "info", + "access" ] }, - "source": { - "user": { - "email": "asr@testsiem2.onmicrosoft.com" - } + "host": { + "id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655" }, "message": "Here's the phony data", - "tags": [ - "preserve_original_event" - ], "o365": { "audit": { - "RecordType": "13", - "ObjectId": "\u003cAM0PR05MB4803CDA6206C2F2FEB36DB5AB8EC0@AM0PR05MB4803.eurprd05.prod.outlook.com\u003e", - "Version": "1", + "CreationTime": "2020-02-24T20:11:15", "ExchangeMetaData": { + "BCC": [], "CC": [ "asr@example.net" ], - "UniqueID": "8e103f2f-b293-4062-38b8-08d7b965b2fa", - "BCC": [], + "FileSize": 13405, + "MessageID": "\u003cAM0PR05MB4803CDA6206C2F2FEB36DB5AB8EC0@AM0PR05MB4803.eurprd05.prod.outlook.com\u003e", + "RecipientCount": 2, + "Sent": "2020-02-24T20:11:14", "To": [ "asr@example.org" ], - "RecipientCount": 2, - "FileSize": 13405, - "MessageID": "\u003cAM0PR05MB4803CDA6206C2F2FEB36DB5AB8EC0@AM0PR05MB4803.eurprd05.prod.outlook.com\u003e", - "Sent": "2020-02-24T20:11:14" + "UniqueID": "8e103f2f-b293-4062-38b8-08d7b965b2fa" }, - "UserId": "DlpAgent", - "UserKey": "1153801116545789462", - "CreationTime": "2020-02-24T20:11:15", + "IncidentId": "c1dc582b-fa61-6020-1800-08d7b966ec64", + "ObjectId": "\u003cAM0PR05MB4803CDA6206C2F2FEB36DB5AB8EC0@AM0PR05MB4803.eurprd05.prod.outlook.com\u003e", "PolicyDetails": [ { + "PolicyId": "88956b36-45b3-4828-bf53-78603c0e5f58", + "PolicyName": "test", "Rules": [ { "ActionParameters": [ @@ -62,34 +68,34 @@ "NotifyUser", "GenerateIncidentReport" ], - "RuleId": "51e3d97a-e159-4645-9092-608bd24e083a", - "RuleMode": "Enable", "ConditionsMatched": { + "OtherConditions": [ + { + "Name": "AccessScope", + "Value": "IncludeExternalUsers" + } + ], "SensitiveInformation": [ { - "Count": 1, "Confidence": 75, - "UniqueCount": 1, + "Count": 1, "Location": "Message Body", - "SensitiveType": "419f449f-6d9d-4be1-a154-b531f7a91b41" + "SensitiveType": "419f449f-6d9d-4be1-a154-b531f7a91b41", + "UniqueCount": 1 }, { - "Count": 1, "Confidence": 75, - "UniqueCount": 1, + "Count": 1, "Location": "Message Body", - "SensitiveType": "b8fe86d1-c056-453b-bfaa-9fe698699ecc" - } - ], - "OtherConditions": [ - { - "Value": "IncludeExternalUsers", - "Name": "AccessScope" + "SensitiveType": "b8fe86d1-c056-453b-bfaa-9fe698699ecc", + "UniqueCount": 1 } ] }, - "Severity": "High", - "RuleName": "High volume of content detected test" + "RuleId": "51e3d97a-e159-4645-9092-608bd24e083a", + "RuleMode": "Enable", + "RuleName": "High volume of content detected test", + "Severity": "High" }, { "ActionParameters": [ @@ -100,79 +106,73 @@ "NotifyUser", "GenerateIncidentReport" ], - "RuleId": "51e3d97a-1234-4645-9092-608bd24e083a", - "RuleMode": "Enable", "ConditionsMatched": { + "OtherConditions": [ + { + "Name": "AccessScope", + "Value": "IncludeExternalUsers" + } + ], "SensitiveInformation": [ { - "Count": 1, "Confidence": 75, - "UniqueCount": 1, + "Count": 1, "Location": "Message Body", - "SensitiveType": "419f449f-6d9d-4be1-a154-b531f7a91b41" + "SensitiveType": "419f449f-6d9d-4be1-a154-b531f7a91b41", + "UniqueCount": 1 }, { - "Count": 1, "Confidence": 75, - "UniqueCount": 1, + "Count": 1, "Location": "Message Body", - "SensitiveType": "b8fe86d1-c056-453b-bfaa-9fe698699ecc" - } - ], - "OtherConditions": [ - { - "Value": "IncludeExternalUsers", - "Name": "AccessScope" + "SensitiveType": "b8fe86d1-c056-453b-bfaa-9fe698699ecc", + "UniqueCount": 1 } ] }, - "Severity": "Medium", - "RuleName": "Mid volume of content detected test" + "RuleId": "51e3d97a-1234-4645-9092-608bd24e083a", + "RuleMode": "Enable", + "RuleName": "Mid volume of content detected test", + "Severity": "Medium" } - ], - "PolicyId": "88956b36-45b3-4828-bf53-78603c0e5f58", - "PolicyName": "test" + ] } ], + "RecordType": "13", + "SensitiveInfoDetectionIsIncluded": false, + "UserId": "DlpAgent", + "UserKey": "1153801116545789462", "UserType": "4", - "IncidentId": "c1dc582b-fa61-6020-1800-08d7b966ec64", - "SensitiveInfoDetectionIsIncluded": false + "Version": "1" } }, - "@timestamp": "2020-02-24T20:11:15.000Z", - "ecs": { - "version": "8.0.0" - }, "organization": { "id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655" }, - "host": { - "id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655" - }, - "event": { - "severity": 4, - "ingested": "2022-01-02T03:49:47.263736661Z", - "original": "{\"CreationTime\":\"2020-02-24T20:11:15\",\"ExchangeMetaData\":{\"BCC\":[],\"CC\":[\"asr@example.net\"],\"FileSize\":13405,\"From\":\"asr@testsiem2.onmicrosoft.com\",\"MessageID\":\"\\u003cAM0PR05MB4803CDA6206C2F2FEB36DB5AB8EC0@AM0PR05MB4803.eurprd05.prod.outlook.com\\u003e\",\"RecipientCount\":2,\"Sent\":\"2020-02-24T20:11:14\",\"Subject\":\"Here's the phony data\",\"To\":[\"asr@example.org\"],\"UniqueID\":\"8e103f2f-b293-4062-38b8-08d7b965b2fa\"},\"Id\":\"d5a0e7d9-e06f-498c-8413-eb83b7dbd516\",\"IncidentId\":\"c1dc582b-fa61-6020-1800-08d7b966ec64\",\"ObjectId\":\"\\u003cAM0PR05MB4803CDA6206C2F2FEB36DB5AB8EC0@AM0PR05MB4803.eurprd05.prod.outlook.com\\u003e\",\"Operation\":\"DlpRuleMatch\",\"OrganizationId\":\"0e1dddce-163e-4b0b-9e33-87ba56ac4655\",\"PolicyDetails\":[{\"PolicyId\":\"88956b36-45b3-4828-bf53-78603c0e5f58\",\"PolicyName\":\"test\",\"Rules\":[{\"ActionParameters\":[\"GenerateIncidentReport:asr@testsiem2.onmicrosoft.com\"],\"Actions\":[\"BlockAccess\",\"NotifyUser\",\"GenerateIncidentReport\"],\"ConditionsMatched\":{\"OtherConditions\":[{\"Name\":\"AccessScope\",\"Value\":\"IncludeExternalUsers\"}],\"SensitiveInformation\":[{\"Confidence\":75,\"Count\":1,\"Location\":\"Message Body\",\"SensitiveType\":\"419f449f-6d9d-4be1-a154-b531f7a91b41\",\"UniqueCount\":1},{\"Confidence\":75,\"Count\":1,\"Location\":\"Message Body\",\"SensitiveType\":\"b8fe86d1-c056-453b-bfaa-9fe698699ecc\",\"UniqueCount\":1}]},\"RuleId\":\"51e3d97a-e159-4645-9092-608bd24e083a\",\"RuleMode\":\"Enable\",\"RuleName\":\"High volume of content detected test\",\"Severity\":\"High\"},{\"ActionParameters\":[\"GenerateIncidentReport:asr@testsiem2.onmicrosoft.com\"],\"Actions\":[\"BlockAccess\",\"NotifyUser\",\"GenerateIncidentReport\"],\"ConditionsMatched\":{\"OtherConditions\":[{\"Name\":\"AccessScope\",\"Value\":\"IncludeExternalUsers\"}],\"SensitiveInformation\":[{\"Confidence\":75,\"Count\":1,\"Location\":\"Message Body\",\"SensitiveType\":\"419f449f-6d9d-4be1-a154-b531f7a91b41\",\"UniqueCount\":1},{\"Confidence\":75,\"Count\":1,\"Location\":\"Message Body\",\"SensitiveType\":\"b8fe86d1-c056-453b-bfaa-9fe698699ecc\",\"UniqueCount\":1}]},\"RuleId\":\"51e3d97a-1234-4645-9092-608bd24e083a\",\"RuleMode\":\"Enable\",\"RuleName\":\"Mid volume of content detected test\",\"Severity\":\"Medium\"}]}],\"RecordType\":13,\"SensitiveInfoDetectionIsIncluded\":false,\"UserId\":\"DlpAgent\",\"UserKey\":\"1153801116545789462\",\"UserType\":4,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ComplianceDLPExchange", - "provider": "Exchange", - "kind": "alert", - "action": "DlpRuleMatch", - "id": "d5a0e7d9-e06f-498c-8413-eb83b7dbd516", - "type": [ - "info", - "access" - ], - "category": [ - "web", - "file" + "rule": { + "id": [ + "51e3d97a-e159-4645-9092-608bd24e083a", + "51e3d97a-1234-4645-9092-608bd24e083a" ], - "outcome": "failure" + "name": [ + "High volume of content detected test", + "Mid volume of content detected test" + ] + }, + "source": { + "user": { + "email": "asr@testsiem2.onmicrosoft.com" + } }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "DlpAgent" } }, { + "@timestamp": "2020-02-24T20:11:15.000Z", "destination": { "user": { "email": [ @@ -181,49 +181,54 @@ ] } }, - "rule": { - "name": [ - "High volume of content detected test", - "Mid volume of content detected test" + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "DlpRuleUndo", + "category": [ + "web", + "file" ], - "id": [ - "51e3d97a-e159-4645-9092-608bd24e083a", - "51e3d97a-1234-4645-9092-608bd24e083a" + "code": "ComplianceDLPExchange", + "id": "d5a0e7d9-e06f-498c-8413-eb83b7dbd516", + "kind": "alert", + "original": "{\"CreationTime\":\"2020-02-24T20:11:15\",\"ExchangeMetaData\":{\"BCC\":[],\"CC\":[\"asr@example.net\"],\"FileSize\":13405,\"From\":\"asr@testsiem2.onmicrosoft.com\",\"MessageID\":\"\\u003cAM0PR05MB4803CDA6206C2F2FEB36DB5AB8EC0@AM0PR05MB4803.eurprd05.prod.outlook.com\\u003e\",\"RecipientCount\":2,\"Sent\":\"2020-02-24T20:11:14\",\"Subject\":\"Here's the phony data\",\"To\":[\"asr@example.org\"],\"UniqueID\":\"8e103f2f-b293-4062-38b8-08d7b965b2fa\"},\"Id\":\"d5a0e7d9-e06f-498c-8413-eb83b7dbd516\",\"IncidentId\":\"c1dc582b-fa61-6020-1800-08d7b966ec64\",\"ObjectId\":\"\\u003cAM0PR05MB4803CDA6206C2F2FEB36DB5AB8EC0@AM0PR05MB4803.eurprd05.prod.outlook.com\\u003e\",\"Operation\":\"DlpRuleUndo\",\"OrganizationId\":\"0e1dddce-163e-4b0b-9e33-87ba56ac4655\",\"PolicyDetails\":[{\"PolicyId\":\"88956b36-45b3-4828-bf53-78603c0e5f58\",\"PolicyName\":\"test\",\"Rules\":[{\"ActionParameters\":[\"GenerateIncidentReport:asr@testsiem2.onmicrosoft.com\"],\"Actions\":[\"BlockAccess\",\"NotifyUser\",\"GenerateIncidentReport\"],\"ConditionsMatched\":{\"OtherConditions\":[{\"Name\":\"AccessScope\",\"Value\":\"IncludeExternalUsers\"}],\"SensitiveInformation\":[{\"Confidence\":75,\"Count\":1,\"Location\":\"Message Body\",\"SensitiveType\":\"419f449f-6d9d-4be1-a154-b531f7a91b41\",\"UniqueCount\":1},{\"Confidence\":75,\"Count\":1,\"Location\":\"Message Body\",\"SensitiveType\":\"b8fe86d1-c056-453b-bfaa-9fe698699ecc\",\"UniqueCount\":1}]},\"RuleId\":\"51e3d97a-e159-4645-9092-608bd24e083a\",\"RuleMode\":\"Enable\",\"RuleName\":\"High volume of content detected test\",\"Severity\":\"High\"},{\"ActionParameters\":[\"GenerateIncidentReport:asr@testsiem2.onmicrosoft.com\"],\"Actions\":[\"BlockAccess\",\"NotifyUser\",\"GenerateIncidentReport\"],\"ConditionsMatched\":{\"OtherConditions\":[{\"Name\":\"AccessScope\",\"Value\":\"IncludeExternalUsers\"}],\"SensitiveInformation\":[{\"Confidence\":75,\"Count\":1,\"Location\":\"Message Body\",\"SensitiveType\":\"419f449f-6d9d-4be1-a154-b531f7a91b41\",\"UniqueCount\":1},{\"Confidence\":75,\"Count\":1,\"Location\":\"Message Body\",\"SensitiveType\":\"b8fe86d1-c056-453b-bfaa-9fe698699ecc\",\"UniqueCount\":1}]},\"RuleId\":\"51e3d97a-1234-4645-9092-608bd24e083a\",\"RuleMode\":\"Enable\",\"RuleName\":\"Mid volume of content detected test\",\"Severity\":\"Medium\"}]}],\"RecordType\":13,\"SensitiveInfoDetectionIsIncluded\":false,\"UserId\":\"DlpAgent\",\"UserKey\":\"1153801116545789462\",\"UserType\":4,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "severity": 4, + "type": [ + "info", + "access" ] }, - "source": { - "user": { - "email": "asr@testsiem2.onmicrosoft.com" - } + "host": { + "id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655" }, "message": "Here's the phony data", - "tags": [ - "preserve_original_event" - ], "o365": { "audit": { - "RecordType": "13", - "ObjectId": "\u003cAM0PR05MB4803CDA6206C2F2FEB36DB5AB8EC0@AM0PR05MB4803.eurprd05.prod.outlook.com\u003e", - "Version": "1", + "CreationTime": "2020-02-24T20:11:15", "ExchangeMetaData": { + "BCC": [], "CC": [ "asr@example.net" ], - "UniqueID": "8e103f2f-b293-4062-38b8-08d7b965b2fa", - "BCC": [], + "FileSize": 13405, + "MessageID": "\u003cAM0PR05MB4803CDA6206C2F2FEB36DB5AB8EC0@AM0PR05MB4803.eurprd05.prod.outlook.com\u003e", + "RecipientCount": 2, + "Sent": "2020-02-24T20:11:14", "To": [ "asr@example.org" ], - "RecipientCount": 2, - "FileSize": 13405, - "MessageID": "\u003cAM0PR05MB4803CDA6206C2F2FEB36DB5AB8EC0@AM0PR05MB4803.eurprd05.prod.outlook.com\u003e", - "Sent": "2020-02-24T20:11:14" + "UniqueID": "8e103f2f-b293-4062-38b8-08d7b965b2fa" }, - "UserId": "DlpAgent", - "UserKey": "1153801116545789462", - "CreationTime": "2020-02-24T20:11:15", + "IncidentId": "c1dc582b-fa61-6020-1800-08d7b966ec64", + "ObjectId": "\u003cAM0PR05MB4803CDA6206C2F2FEB36DB5AB8EC0@AM0PR05MB4803.eurprd05.prod.outlook.com\u003e", "PolicyDetails": [ { + "PolicyId": "88956b36-45b3-4828-bf53-78603c0e5f58", + "PolicyName": "test", "Rules": [ { "ActionParameters": [ @@ -234,34 +239,34 @@ "NotifyUser", "GenerateIncidentReport" ], - "RuleId": "51e3d97a-e159-4645-9092-608bd24e083a", - "RuleMode": "Enable", "ConditionsMatched": { + "OtherConditions": [ + { + "Name": "AccessScope", + "Value": "IncludeExternalUsers" + } + ], "SensitiveInformation": [ { - "Count": 1, "Confidence": 75, - "UniqueCount": 1, + "Count": 1, "Location": "Message Body", - "SensitiveType": "419f449f-6d9d-4be1-a154-b531f7a91b41" + "SensitiveType": "419f449f-6d9d-4be1-a154-b531f7a91b41", + "UniqueCount": 1 }, { - "Count": 1, "Confidence": 75, - "UniqueCount": 1, + "Count": 1, "Location": "Message Body", - "SensitiveType": "b8fe86d1-c056-453b-bfaa-9fe698699ecc" - } - ], - "OtherConditions": [ - { - "Value": "IncludeExternalUsers", - "Name": "AccessScope" + "SensitiveType": "b8fe86d1-c056-453b-bfaa-9fe698699ecc", + "UniqueCount": 1 } ] }, - "Severity": "High", - "RuleName": "High volume of content detected test" + "RuleId": "51e3d97a-e159-4645-9092-608bd24e083a", + "RuleMode": "Enable", + "RuleName": "High volume of content detected test", + "Severity": "High" }, { "ActionParameters": [ @@ -272,79 +277,73 @@ "NotifyUser", "GenerateIncidentReport" ], - "RuleId": "51e3d97a-1234-4645-9092-608bd24e083a", - "RuleMode": "Enable", "ConditionsMatched": { + "OtherConditions": [ + { + "Name": "AccessScope", + "Value": "IncludeExternalUsers" + } + ], "SensitiveInformation": [ { - "Count": 1, "Confidence": 75, - "UniqueCount": 1, + "Count": 1, "Location": "Message Body", - "SensitiveType": "419f449f-6d9d-4be1-a154-b531f7a91b41" + "SensitiveType": "419f449f-6d9d-4be1-a154-b531f7a91b41", + "UniqueCount": 1 }, { - "Count": 1, "Confidence": 75, - "UniqueCount": 1, + "Count": 1, "Location": "Message Body", - "SensitiveType": "b8fe86d1-c056-453b-bfaa-9fe698699ecc" - } - ], - "OtherConditions": [ - { - "Value": "IncludeExternalUsers", - "Name": "AccessScope" + "SensitiveType": "b8fe86d1-c056-453b-bfaa-9fe698699ecc", + "UniqueCount": 1 } ] }, - "Severity": "Medium", - "RuleName": "Mid volume of content detected test" + "RuleId": "51e3d97a-1234-4645-9092-608bd24e083a", + "RuleMode": "Enable", + "RuleName": "Mid volume of content detected test", + "Severity": "Medium" } - ], - "PolicyId": "88956b36-45b3-4828-bf53-78603c0e5f58", - "PolicyName": "test" + ] } ], + "RecordType": "13", + "SensitiveInfoDetectionIsIncluded": false, + "UserId": "DlpAgent", + "UserKey": "1153801116545789462", "UserType": "4", - "IncidentId": "c1dc582b-fa61-6020-1800-08d7b966ec64", - "SensitiveInfoDetectionIsIncluded": false + "Version": "1" } }, - "@timestamp": "2020-02-24T20:11:15.000Z", - "ecs": { - "version": "8.0.0" - }, "organization": { "id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655" }, - "host": { - "id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655" - }, - "event": { - "severity": 4, - "ingested": "2022-01-02T03:49:47.263738866Z", - "original": "{\"CreationTime\":\"2020-02-24T20:11:15\",\"ExchangeMetaData\":{\"BCC\":[],\"CC\":[\"asr@example.net\"],\"FileSize\":13405,\"From\":\"asr@testsiem2.onmicrosoft.com\",\"MessageID\":\"\\u003cAM0PR05MB4803CDA6206C2F2FEB36DB5AB8EC0@AM0PR05MB4803.eurprd05.prod.outlook.com\\u003e\",\"RecipientCount\":2,\"Sent\":\"2020-02-24T20:11:14\",\"Subject\":\"Here's the phony data\",\"To\":[\"asr@example.org\"],\"UniqueID\":\"8e103f2f-b293-4062-38b8-08d7b965b2fa\"},\"Id\":\"d5a0e7d9-e06f-498c-8413-eb83b7dbd516\",\"IncidentId\":\"c1dc582b-fa61-6020-1800-08d7b966ec64\",\"ObjectId\":\"\\u003cAM0PR05MB4803CDA6206C2F2FEB36DB5AB8EC0@AM0PR05MB4803.eurprd05.prod.outlook.com\\u003e\",\"Operation\":\"DlpRuleUndo\",\"OrganizationId\":\"0e1dddce-163e-4b0b-9e33-87ba56ac4655\",\"PolicyDetails\":[{\"PolicyId\":\"88956b36-45b3-4828-bf53-78603c0e5f58\",\"PolicyName\":\"test\",\"Rules\":[{\"ActionParameters\":[\"GenerateIncidentReport:asr@testsiem2.onmicrosoft.com\"],\"Actions\":[\"BlockAccess\",\"NotifyUser\",\"GenerateIncidentReport\"],\"ConditionsMatched\":{\"OtherConditions\":[{\"Name\":\"AccessScope\",\"Value\":\"IncludeExternalUsers\"}],\"SensitiveInformation\":[{\"Confidence\":75,\"Count\":1,\"Location\":\"Message Body\",\"SensitiveType\":\"419f449f-6d9d-4be1-a154-b531f7a91b41\",\"UniqueCount\":1},{\"Confidence\":75,\"Count\":1,\"Location\":\"Message Body\",\"SensitiveType\":\"b8fe86d1-c056-453b-bfaa-9fe698699ecc\",\"UniqueCount\":1}]},\"RuleId\":\"51e3d97a-e159-4645-9092-608bd24e083a\",\"RuleMode\":\"Enable\",\"RuleName\":\"High volume of content detected test\",\"Severity\":\"High\"},{\"ActionParameters\":[\"GenerateIncidentReport:asr@testsiem2.onmicrosoft.com\"],\"Actions\":[\"BlockAccess\",\"NotifyUser\",\"GenerateIncidentReport\"],\"ConditionsMatched\":{\"OtherConditions\":[{\"Name\":\"AccessScope\",\"Value\":\"IncludeExternalUsers\"}],\"SensitiveInformation\":[{\"Confidence\":75,\"Count\":1,\"Location\":\"Message Body\",\"SensitiveType\":\"419f449f-6d9d-4be1-a154-b531f7a91b41\",\"UniqueCount\":1},{\"Confidence\":75,\"Count\":1,\"Location\":\"Message Body\",\"SensitiveType\":\"b8fe86d1-c056-453b-bfaa-9fe698699ecc\",\"UniqueCount\":1}]},\"RuleId\":\"51e3d97a-1234-4645-9092-608bd24e083a\",\"RuleMode\":\"Enable\",\"RuleName\":\"Mid volume of content detected test\",\"Severity\":\"Medium\"}]}],\"RecordType\":13,\"SensitiveInfoDetectionIsIncluded\":false,\"UserId\":\"DlpAgent\",\"UserKey\":\"1153801116545789462\",\"UserType\":4,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ComplianceDLPExchange", - "provider": "Exchange", - "kind": "alert", - "action": "DlpRuleUndo", - "id": "d5a0e7d9-e06f-498c-8413-eb83b7dbd516", - "type": [ - "info", - "access" - ], - "category": [ - "web", - "file" + "rule": { + "id": [ + "51e3d97a-e159-4645-9092-608bd24e083a", + "51e3d97a-1234-4645-9092-608bd24e083a" ], - "outcome": "success" + "name": [ + "High volume of content detected test", + "Mid volume of content detected test" + ] + }, + "source": { + "user": { + "email": "asr@testsiem2.onmicrosoft.com" + } }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "DlpAgent" } }, { + "@timestamp": "2020-02-24T20:11:15.000Z", "destination": { "user": { "email": [ @@ -353,49 +352,57 @@ ] } }, - "rule": { - "name": [ - "High volume of content detected test", - "Mid volume of content detected test" + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "DlpRuleMatch", + "category": [ + "web", + "file" ], - "id": [ - "51e3d97a-e159-4645-9092-608bd24e083a", - "51e3d97a-1234-4645-9092-608bd24e083a" + "code": "ComplianceDLPExchange", + "id": "d5a0e7d9-e06f-498c-8413-eb83b7dbd516", + "kind": "alert", + "original": "{\"CreationTime\":\"2020-02-24T20:11:15\",\"ExceptionInfo\":\"{ \\\"Justification\\\": \\\"I really need to share those files\\\" }\",\"ExchangeMetaData\":{\"BCC\":[],\"CC\":[\"asr@example.net\"],\"FileSize\":13405,\"From\":\"asr@testsiem2.onmicrosoft.com\",\"MessageID\":\"\\u003cAM0PR05MB4803CDA6206C2F2FEB36DB5AB8EC0@AM0PR05MB4803.eurprd05.prod.outlook.com\\u003e\",\"RecipientCount\":2,\"Sent\":\"2020-02-24T20:11:14\",\"Subject\":\"Here's the phony data\",\"To\":[\"asr@example.org\"],\"UniqueID\":\"8e103f2f-b293-4062-38b8-08d7b965b2fa\"},\"Id\":\"d5a0e7d9-e06f-498c-8413-eb83b7dbd516\",\"IncidentId\":\"c1dc582b-fa61-6020-1800-08d7b966ec64\",\"ObjectId\":\"\\u003cAM0PR05MB4803CDA6206C2F2FEB36DB5AB8EC0@AM0PR05MB4803.eurprd05.prod.outlook.com\\u003e\",\"Operation\":\"DlpRuleMatch\",\"OrganizationId\":\"0e1dddce-163e-4b0b-9e33-87ba56ac4655\",\"PolicyDetails\":[{\"PolicyId\":\"88956b36-45b3-4828-bf53-78603c0e5f58\",\"PolicyName\":\"test\",\"Rules\":[{\"ActionParameters\":[\"GenerateIncidentReport:asr@testsiem2.onmicrosoft.com\"],\"Actions\":[\"BlockAccess\",\"NotifyUser\",\"GenerateIncidentReport\"],\"ConditionsMatched\":{\"OtherConditions\":[{\"Name\":\"AccessScope\",\"Value\":\"IncludeExternalUsers\"}],\"SensitiveInformation\":[{\"Confidence\":75,\"Count\":1,\"Location\":\"Message Body\",\"SensitiveType\":\"419f449f-6d9d-4be1-a154-b531f7a91b41\",\"UniqueCount\":1},{\"Confidence\":75,\"Count\":1,\"Location\":\"Message Body\",\"SensitiveType\":\"b8fe86d1-c056-453b-bfaa-9fe698699ecc\",\"UniqueCount\":1}]},\"RuleId\":\"51e3d97a-e159-4645-9092-608bd24e083a\",\"RuleMode\":\"Enable\",\"RuleName\":\"High volume of content detected test\",\"Severity\":\"High\"},{\"ActionParameters\":[\"GenerateIncidentReport:asr@testsiem2.onmicrosoft.com\"],\"Actions\":[\"BlockAccess\",\"NotifyUser\",\"GenerateIncidentReport\"],\"ConditionsMatched\":{\"OtherConditions\":[{\"Name\":\"AccessScope\",\"Value\":\"IncludeExternalUsers\"}],\"SensitiveInformation\":[{\"Confidence\":75,\"Count\":1,\"Location\":\"Message Body\",\"SensitiveType\":\"419f449f-6d9d-4be1-a154-b531f7a91b41\",\"UniqueCount\":1},{\"Confidence\":75,\"Count\":1,\"Location\":\"Message Body\",\"SensitiveType\":\"b8fe86d1-c056-453b-bfaa-9fe698699ecc\",\"UniqueCount\":1}]},\"RuleId\":\"51e3d97a-1234-4645-9092-608bd24e083a\",\"RuleMode\":\"Enable\",\"RuleName\":\"Mid volume of content detected test\",\"Severity\":\"Medium\"}]}],\"RecordType\":13,\"SensitiveInfoDetectionIsIncluded\":false,\"UserId\":\"DlpAgent\",\"UserKey\":\"1153801116545789462\",\"UserType\":4,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "severity": 4, + "type": [ + "info", + "access" ] }, - "source": { - "user": { - "email": "asr@testsiem2.onmicrosoft.com" - } + "host": { + "id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655" }, "message": "Here's the phony data", - "tags": [ - "preserve_original_event" - ], "o365": { "audit": { - "RecordType": "13", - "ObjectId": "\u003cAM0PR05MB4803CDA6206C2F2FEB36DB5AB8EC0@AM0PR05MB4803.eurprd05.prod.outlook.com\u003e", - "Version": "1", + "CreationTime": "2020-02-24T20:11:15", + "ExceptionInfo": { + "Reason": "{ \"Justification\": \"I really need to share those files\" }" + }, "ExchangeMetaData": { + "BCC": [], "CC": [ "asr@example.net" ], - "UniqueID": "8e103f2f-b293-4062-38b8-08d7b965b2fa", - "BCC": [], + "FileSize": 13405, + "MessageID": "\u003cAM0PR05MB4803CDA6206C2F2FEB36DB5AB8EC0@AM0PR05MB4803.eurprd05.prod.outlook.com\u003e", + "RecipientCount": 2, + "Sent": "2020-02-24T20:11:14", "To": [ "asr@example.org" ], - "RecipientCount": 2, - "FileSize": 13405, - "MessageID": "\u003cAM0PR05MB4803CDA6206C2F2FEB36DB5AB8EC0@AM0PR05MB4803.eurprd05.prod.outlook.com\u003e", - "Sent": "2020-02-24T20:11:14" + "UniqueID": "8e103f2f-b293-4062-38b8-08d7b965b2fa" }, - "UserId": "DlpAgent", - "UserKey": "1153801116545789462", - "CreationTime": "2020-02-24T20:11:15", + "IncidentId": "c1dc582b-fa61-6020-1800-08d7b966ec64", + "ObjectId": "\u003cAM0PR05MB4803CDA6206C2F2FEB36DB5AB8EC0@AM0PR05MB4803.eurprd05.prod.outlook.com\u003e", "PolicyDetails": [ { + "PolicyId": "88956b36-45b3-4828-bf53-78603c0e5f58", + "PolicyName": "test", "Rules": [ { "ActionParameters": [ @@ -406,34 +413,34 @@ "NotifyUser", "GenerateIncidentReport" ], - "RuleId": "51e3d97a-e159-4645-9092-608bd24e083a", - "RuleMode": "Enable", "ConditionsMatched": { + "OtherConditions": [ + { + "Name": "AccessScope", + "Value": "IncludeExternalUsers" + } + ], "SensitiveInformation": [ { - "Count": 1, "Confidence": 75, - "UniqueCount": 1, + "Count": 1, "Location": "Message Body", - "SensitiveType": "419f449f-6d9d-4be1-a154-b531f7a91b41" + "SensitiveType": "419f449f-6d9d-4be1-a154-b531f7a91b41", + "UniqueCount": 1 }, { - "Count": 1, "Confidence": 75, - "UniqueCount": 1, + "Count": 1, "Location": "Message Body", - "SensitiveType": "b8fe86d1-c056-453b-bfaa-9fe698699ecc" - } - ], - "OtherConditions": [ - { - "Value": "IncludeExternalUsers", - "Name": "AccessScope" + "SensitiveType": "b8fe86d1-c056-453b-bfaa-9fe698699ecc", + "UniqueCount": 1 } ] }, - "Severity": "High", - "RuleName": "High volume of content detected test" + "RuleId": "51e3d97a-e159-4645-9092-608bd24e083a", + "RuleMode": "Enable", + "RuleName": "High volume of content detected test", + "Severity": "High" }, { "ActionParameters": [ @@ -444,82 +451,73 @@ "NotifyUser", "GenerateIncidentReport" ], - "RuleId": "51e3d97a-1234-4645-9092-608bd24e083a", - "RuleMode": "Enable", "ConditionsMatched": { + "OtherConditions": [ + { + "Name": "AccessScope", + "Value": "IncludeExternalUsers" + } + ], "SensitiveInformation": [ { - "Count": 1, "Confidence": 75, - "UniqueCount": 1, + "Count": 1, "Location": "Message Body", - "SensitiveType": "419f449f-6d9d-4be1-a154-b531f7a91b41" + "SensitiveType": "419f449f-6d9d-4be1-a154-b531f7a91b41", + "UniqueCount": 1 }, { - "Count": 1, "Confidence": 75, - "UniqueCount": 1, + "Count": 1, "Location": "Message Body", - "SensitiveType": "b8fe86d1-c056-453b-bfaa-9fe698699ecc" - } - ], - "OtherConditions": [ - { - "Value": "IncludeExternalUsers", - "Name": "AccessScope" + "SensitiveType": "b8fe86d1-c056-453b-bfaa-9fe698699ecc", + "UniqueCount": 1 } ] }, - "Severity": "Medium", - "RuleName": "Mid volume of content detected test" + "RuleId": "51e3d97a-1234-4645-9092-608bd24e083a", + "RuleMode": "Enable", + "RuleName": "Mid volume of content detected test", + "Severity": "Medium" } - ], - "PolicyId": "88956b36-45b3-4828-bf53-78603c0e5f58", - "PolicyName": "test" + ] } ], + "RecordType": "13", + "SensitiveInfoDetectionIsIncluded": false, + "UserId": "DlpAgent", + "UserKey": "1153801116545789462", "UserType": "4", - "IncidentId": "c1dc582b-fa61-6020-1800-08d7b966ec64", - "ExceptionInfo": { - "Reason": "{ \"Justification\": \"I really need to share those files\" }" - }, - "SensitiveInfoDetectionIsIncluded": false + "Version": "1" } }, - "@timestamp": "2020-02-24T20:11:15.000Z", - "ecs": { - "version": "8.0.0" - }, "organization": { "id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655" }, - "host": { - "id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655" - }, - "event": { - "severity": 4, - "ingested": "2022-01-02T03:49:47.263739749Z", - "original": "{\"CreationTime\":\"2020-02-24T20:11:15\",\"ExceptionInfo\":\"{ \\\"Justification\\\": \\\"I really need to share those files\\\" }\",\"ExchangeMetaData\":{\"BCC\":[],\"CC\":[\"asr@example.net\"],\"FileSize\":13405,\"From\":\"asr@testsiem2.onmicrosoft.com\",\"MessageID\":\"\\u003cAM0PR05MB4803CDA6206C2F2FEB36DB5AB8EC0@AM0PR05MB4803.eurprd05.prod.outlook.com\\u003e\",\"RecipientCount\":2,\"Sent\":\"2020-02-24T20:11:14\",\"Subject\":\"Here's the phony data\",\"To\":[\"asr@example.org\"],\"UniqueID\":\"8e103f2f-b293-4062-38b8-08d7b965b2fa\"},\"Id\":\"d5a0e7d9-e06f-498c-8413-eb83b7dbd516\",\"IncidentId\":\"c1dc582b-fa61-6020-1800-08d7b966ec64\",\"ObjectId\":\"\\u003cAM0PR05MB4803CDA6206C2F2FEB36DB5AB8EC0@AM0PR05MB4803.eurprd05.prod.outlook.com\\u003e\",\"Operation\":\"DlpRuleMatch\",\"OrganizationId\":\"0e1dddce-163e-4b0b-9e33-87ba56ac4655\",\"PolicyDetails\":[{\"PolicyId\":\"88956b36-45b3-4828-bf53-78603c0e5f58\",\"PolicyName\":\"test\",\"Rules\":[{\"ActionParameters\":[\"GenerateIncidentReport:asr@testsiem2.onmicrosoft.com\"],\"Actions\":[\"BlockAccess\",\"NotifyUser\",\"GenerateIncidentReport\"],\"ConditionsMatched\":{\"OtherConditions\":[{\"Name\":\"AccessScope\",\"Value\":\"IncludeExternalUsers\"}],\"SensitiveInformation\":[{\"Confidence\":75,\"Count\":1,\"Location\":\"Message Body\",\"SensitiveType\":\"419f449f-6d9d-4be1-a154-b531f7a91b41\",\"UniqueCount\":1},{\"Confidence\":75,\"Count\":1,\"Location\":\"Message Body\",\"SensitiveType\":\"b8fe86d1-c056-453b-bfaa-9fe698699ecc\",\"UniqueCount\":1}]},\"RuleId\":\"51e3d97a-e159-4645-9092-608bd24e083a\",\"RuleMode\":\"Enable\",\"RuleName\":\"High volume of content detected test\",\"Severity\":\"High\"},{\"ActionParameters\":[\"GenerateIncidentReport:asr@testsiem2.onmicrosoft.com\"],\"Actions\":[\"BlockAccess\",\"NotifyUser\",\"GenerateIncidentReport\"],\"ConditionsMatched\":{\"OtherConditions\":[{\"Name\":\"AccessScope\",\"Value\":\"IncludeExternalUsers\"}],\"SensitiveInformation\":[{\"Confidence\":75,\"Count\":1,\"Location\":\"Message Body\",\"SensitiveType\":\"419f449f-6d9d-4be1-a154-b531f7a91b41\",\"UniqueCount\":1},{\"Confidence\":75,\"Count\":1,\"Location\":\"Message Body\",\"SensitiveType\":\"b8fe86d1-c056-453b-bfaa-9fe698699ecc\",\"UniqueCount\":1}]},\"RuleId\":\"51e3d97a-1234-4645-9092-608bd24e083a\",\"RuleMode\":\"Enable\",\"RuleName\":\"Mid volume of content detected test\",\"Severity\":\"Medium\"}]}],\"RecordType\":13,\"SensitiveInfoDetectionIsIncluded\":false,\"UserId\":\"DlpAgent\",\"UserKey\":\"1153801116545789462\",\"UserType\":4,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ComplianceDLPExchange", - "provider": "Exchange", - "kind": "alert", - "action": "DlpRuleMatch", - "id": "d5a0e7d9-e06f-498c-8413-eb83b7dbd516", - "type": [ - "info", - "access" - ], - "category": [ - "web", - "file" + "rule": { + "id": [ + "51e3d97a-e159-4645-9092-608bd24e083a", + "51e3d97a-1234-4645-9092-608bd24e083a" ], - "outcome": "success" + "name": [ + "High volume of content detected test", + "Mid volume of content detected test" + ] }, + "source": { + "user": { + "email": "asr@testsiem2.onmicrosoft.com" + } + }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "DlpAgent" } }, { + "@timestamp": "2020-02-24T20:11:15.000Z", "destination": { "user": { "email": [ @@ -528,49 +526,57 @@ ] } }, - "rule": { - "name": [ - "High volume of content detected test", - "Mid volume of content detected test" + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "DlpRuleMatch", + "category": [ + "web", + "file" ], - "id": [ - "51e3d97a-e159-4645-9092-608bd24e083a", - "51e3d97a-1234-4645-9092-608bd24e083a" + "code": "ComplianceDLPExchange", + "id": "d5a0e7d9-e06f-498c-8413-eb83b7dbd516", + "kind": "alert", + "original": "{\"CreationTime\":\"2020-02-24T20:11:15\",\"ExceptionInfo\":{\"FalsePositive\":true},\"ExchangeMetaData\":{\"BCC\":[],\"CC\":[\"asr@example.net\"],\"FileSize\":13405,\"From\":\"asr@testsiem2.onmicrosoft.com\",\"MessageID\":\"\\u003cAM0PR05MB4803CDA6206C2F2FEB36DB5AB8EC0@AM0PR05MB4803.eurprd05.prod.outlook.com\\u003e\",\"RecipientCount\":2,\"Sent\":\"2020-02-24T20:11:14\",\"Subject\":\"Here's the phony data\",\"To\":[\"asr@example.org\"],\"UniqueID\":\"8e103f2f-b293-4062-38b8-08d7b965b2fa\"},\"Id\":\"d5a0e7d9-e06f-498c-8413-eb83b7dbd516\",\"IncidentId\":\"c1dc582b-fa61-6020-1800-08d7b966ec64\",\"ObjectId\":\"\\u003cAM0PR05MB4803CDA6206C2F2FEB36DB5AB8EC0@AM0PR05MB4803.eurprd05.prod.outlook.com\\u003e\",\"Operation\":\"DlpRuleMatch\",\"OrganizationId\":\"0e1dddce-163e-4b0b-9e33-87ba56ac4655\",\"PolicyDetails\":[{\"PolicyId\":\"88956b36-45b3-4828-bf53-78603c0e5f58\",\"PolicyName\":\"test\",\"Rules\":[{\"ActionParameters\":[\"GenerateIncidentReport:asr@testsiem2.onmicrosoft.com\"],\"Actions\":[\"BlockAccess\",\"NotifyUser\",\"GenerateIncidentReport\"],\"ConditionsMatched\":{\"OtherConditions\":[{\"Name\":\"AccessScope\",\"Value\":\"IncludeExternalUsers\"}],\"SensitiveInformation\":[{\"Confidence\":75,\"Count\":1,\"Location\":\"Message Body\",\"SensitiveType\":\"419f449f-6d9d-4be1-a154-b531f7a91b41\",\"UniqueCount\":1},{\"Confidence\":75,\"Count\":1,\"Location\":\"Message Body\",\"SensitiveType\":\"b8fe86d1-c056-453b-bfaa-9fe698699ecc\",\"UniqueCount\":1}]},\"RuleId\":\"51e3d97a-e159-4645-9092-608bd24e083a\",\"RuleMode\":\"Enable\",\"RuleName\":\"High volume of content detected test\",\"Severity\":\"High\"},{\"ActionParameters\":[\"GenerateIncidentReport:asr@testsiem2.onmicrosoft.com\"],\"Actions\":[\"BlockAccess\",\"NotifyUser\",\"GenerateIncidentReport\"],\"ConditionsMatched\":{\"OtherConditions\":[{\"Name\":\"AccessScope\",\"Value\":\"IncludeExternalUsers\"}],\"SensitiveInformation\":[{\"Confidence\":75,\"Count\":1,\"Location\":\"Message Body\",\"SensitiveType\":\"419f449f-6d9d-4be1-a154-b531f7a91b41\",\"UniqueCount\":1},{\"Confidence\":75,\"Count\":1,\"Location\":\"Message Body\",\"SensitiveType\":\"b8fe86d1-c056-453b-bfaa-9fe698699ecc\",\"UniqueCount\":1}]},\"RuleId\":\"51e3d97a-1234-4645-9092-608bd24e083a\",\"RuleMode\":\"Enable\",\"RuleName\":\"Mid volume of content detected test\",\"Severity\":\"Medium\"}]}],\"RecordType\":13,\"SensitiveInfoDetectionIsIncluded\":false,\"UserId\":\"DlpAgent\",\"UserKey\":\"1153801116545789462\",\"UserType\":4,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "severity": 4, + "type": [ + "info", + "access" ] }, - "source": { - "user": { - "email": "asr@testsiem2.onmicrosoft.com" - } + "host": { + "id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655" }, "message": "Here's the phony data", - "tags": [ - "preserve_original_event" - ], "o365": { "audit": { - "RecordType": "13", - "ObjectId": "\u003cAM0PR05MB4803CDA6206C2F2FEB36DB5AB8EC0@AM0PR05MB4803.eurprd05.prod.outlook.com\u003e", - "Version": "1", + "CreationTime": "2020-02-24T20:11:15", + "ExceptionInfo": { + "FalsePositive": true + }, "ExchangeMetaData": { + "BCC": [], "CC": [ "asr@example.net" ], - "UniqueID": "8e103f2f-b293-4062-38b8-08d7b965b2fa", - "BCC": [], + "FileSize": 13405, + "MessageID": "\u003cAM0PR05MB4803CDA6206C2F2FEB36DB5AB8EC0@AM0PR05MB4803.eurprd05.prod.outlook.com\u003e", + "RecipientCount": 2, + "Sent": "2020-02-24T20:11:14", "To": [ "asr@example.org" ], - "RecipientCount": 2, - "FileSize": 13405, - "MessageID": "\u003cAM0PR05MB4803CDA6206C2F2FEB36DB5AB8EC0@AM0PR05MB4803.eurprd05.prod.outlook.com\u003e", - "Sent": "2020-02-24T20:11:14" + "UniqueID": "8e103f2f-b293-4062-38b8-08d7b965b2fa" }, - "UserId": "DlpAgent", - "UserKey": "1153801116545789462", - "CreationTime": "2020-02-24T20:11:15", + "IncidentId": "c1dc582b-fa61-6020-1800-08d7b966ec64", + "ObjectId": "\u003cAM0PR05MB4803CDA6206C2F2FEB36DB5AB8EC0@AM0PR05MB4803.eurprd05.prod.outlook.com\u003e", "PolicyDetails": [ { + "PolicyId": "88956b36-45b3-4828-bf53-78603c0e5f58", + "PolicyName": "test", "Rules": [ { "ActionParameters": [ @@ -581,34 +587,34 @@ "NotifyUser", "GenerateIncidentReport" ], - "RuleId": "51e3d97a-e159-4645-9092-608bd24e083a", - "RuleMode": "Enable", "ConditionsMatched": { + "OtherConditions": [ + { + "Name": "AccessScope", + "Value": "IncludeExternalUsers" + } + ], "SensitiveInformation": [ { - "Count": 1, "Confidence": 75, - "UniqueCount": 1, + "Count": 1, "Location": "Message Body", - "SensitiveType": "419f449f-6d9d-4be1-a154-b531f7a91b41" + "SensitiveType": "419f449f-6d9d-4be1-a154-b531f7a91b41", + "UniqueCount": 1 }, { - "Count": 1, "Confidence": 75, - "UniqueCount": 1, + "Count": 1, "Location": "Message Body", - "SensitiveType": "b8fe86d1-c056-453b-bfaa-9fe698699ecc" - } - ], - "OtherConditions": [ - { - "Value": "IncludeExternalUsers", - "Name": "AccessScope" + "SensitiveType": "b8fe86d1-c056-453b-bfaa-9fe698699ecc", + "UniqueCount": 1 } ] }, - "Severity": "High", - "RuleName": "High volume of content detected test" + "RuleId": "51e3d97a-e159-4645-9092-608bd24e083a", + "RuleMode": "Enable", + "RuleName": "High volume of content detected test", + "Severity": "High" }, { "ActionParameters": [ @@ -619,82 +625,73 @@ "NotifyUser", "GenerateIncidentReport" ], - "RuleId": "51e3d97a-1234-4645-9092-608bd24e083a", - "RuleMode": "Enable", "ConditionsMatched": { + "OtherConditions": [ + { + "Name": "AccessScope", + "Value": "IncludeExternalUsers" + } + ], "SensitiveInformation": [ { - "Count": 1, "Confidence": 75, - "UniqueCount": 1, + "Count": 1, "Location": "Message Body", - "SensitiveType": "419f449f-6d9d-4be1-a154-b531f7a91b41" + "SensitiveType": "419f449f-6d9d-4be1-a154-b531f7a91b41", + "UniqueCount": 1 }, { - "Count": 1, "Confidence": 75, - "UniqueCount": 1, + "Count": 1, "Location": "Message Body", - "SensitiveType": "b8fe86d1-c056-453b-bfaa-9fe698699ecc" - } - ], - "OtherConditions": [ - { - "Value": "IncludeExternalUsers", - "Name": "AccessScope" + "SensitiveType": "b8fe86d1-c056-453b-bfaa-9fe698699ecc", + "UniqueCount": 1 } ] }, - "Severity": "Medium", - "RuleName": "Mid volume of content detected test" + "RuleId": "51e3d97a-1234-4645-9092-608bd24e083a", + "RuleMode": "Enable", + "RuleName": "Mid volume of content detected test", + "Severity": "Medium" } - ], - "PolicyId": "88956b36-45b3-4828-bf53-78603c0e5f58", - "PolicyName": "test" + ] } ], + "RecordType": "13", + "SensitiveInfoDetectionIsIncluded": false, + "UserId": "DlpAgent", + "UserKey": "1153801116545789462", "UserType": "4", - "IncidentId": "c1dc582b-fa61-6020-1800-08d7b966ec64", - "ExceptionInfo": { - "FalsePositive": true - }, - "SensitiveInfoDetectionIsIncluded": false + "Version": "1" } }, - "@timestamp": "2020-02-24T20:11:15.000Z", - "ecs": { - "version": "8.0.0" - }, "organization": { "id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655" }, - "host": { - "id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655" - }, - "event": { - "severity": 4, - "ingested": "2022-01-02T03:49:47.263740569Z", - "original": "{\"CreationTime\":\"2020-02-24T20:11:15\",\"ExceptionInfo\":{\"FalsePositive\":true},\"ExchangeMetaData\":{\"BCC\":[],\"CC\":[\"asr@example.net\"],\"FileSize\":13405,\"From\":\"asr@testsiem2.onmicrosoft.com\",\"MessageID\":\"\\u003cAM0PR05MB4803CDA6206C2F2FEB36DB5AB8EC0@AM0PR05MB4803.eurprd05.prod.outlook.com\\u003e\",\"RecipientCount\":2,\"Sent\":\"2020-02-24T20:11:14\",\"Subject\":\"Here's the phony data\",\"To\":[\"asr@example.org\"],\"UniqueID\":\"8e103f2f-b293-4062-38b8-08d7b965b2fa\"},\"Id\":\"d5a0e7d9-e06f-498c-8413-eb83b7dbd516\",\"IncidentId\":\"c1dc582b-fa61-6020-1800-08d7b966ec64\",\"ObjectId\":\"\\u003cAM0PR05MB4803CDA6206C2F2FEB36DB5AB8EC0@AM0PR05MB4803.eurprd05.prod.outlook.com\\u003e\",\"Operation\":\"DlpRuleMatch\",\"OrganizationId\":\"0e1dddce-163e-4b0b-9e33-87ba56ac4655\",\"PolicyDetails\":[{\"PolicyId\":\"88956b36-45b3-4828-bf53-78603c0e5f58\",\"PolicyName\":\"test\",\"Rules\":[{\"ActionParameters\":[\"GenerateIncidentReport:asr@testsiem2.onmicrosoft.com\"],\"Actions\":[\"BlockAccess\",\"NotifyUser\",\"GenerateIncidentReport\"],\"ConditionsMatched\":{\"OtherConditions\":[{\"Name\":\"AccessScope\",\"Value\":\"IncludeExternalUsers\"}],\"SensitiveInformation\":[{\"Confidence\":75,\"Count\":1,\"Location\":\"Message Body\",\"SensitiveType\":\"419f449f-6d9d-4be1-a154-b531f7a91b41\",\"UniqueCount\":1},{\"Confidence\":75,\"Count\":1,\"Location\":\"Message Body\",\"SensitiveType\":\"b8fe86d1-c056-453b-bfaa-9fe698699ecc\",\"UniqueCount\":1}]},\"RuleId\":\"51e3d97a-e159-4645-9092-608bd24e083a\",\"RuleMode\":\"Enable\",\"RuleName\":\"High volume of content detected test\",\"Severity\":\"High\"},{\"ActionParameters\":[\"GenerateIncidentReport:asr@testsiem2.onmicrosoft.com\"],\"Actions\":[\"BlockAccess\",\"NotifyUser\",\"GenerateIncidentReport\"],\"ConditionsMatched\":{\"OtherConditions\":[{\"Name\":\"AccessScope\",\"Value\":\"IncludeExternalUsers\"}],\"SensitiveInformation\":[{\"Confidence\":75,\"Count\":1,\"Location\":\"Message Body\",\"SensitiveType\":\"419f449f-6d9d-4be1-a154-b531f7a91b41\",\"UniqueCount\":1},{\"Confidence\":75,\"Count\":1,\"Location\":\"Message Body\",\"SensitiveType\":\"b8fe86d1-c056-453b-bfaa-9fe698699ecc\",\"UniqueCount\":1}]},\"RuleId\":\"51e3d97a-1234-4645-9092-608bd24e083a\",\"RuleMode\":\"Enable\",\"RuleName\":\"Mid volume of content detected test\",\"Severity\":\"Medium\"}]}],\"RecordType\":13,\"SensitiveInfoDetectionIsIncluded\":false,\"UserId\":\"DlpAgent\",\"UserKey\":\"1153801116545789462\",\"UserType\":4,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ComplianceDLPExchange", - "provider": "Exchange", - "kind": "alert", - "action": "DlpRuleMatch", - "id": "d5a0e7d9-e06f-498c-8413-eb83b7dbd516", - "type": [ - "info", - "access" - ], - "category": [ - "web", - "file" + "rule": { + "id": [ + "51e3d97a-e159-4645-9092-608bd24e083a", + "51e3d97a-1234-4645-9092-608bd24e083a" ], - "outcome": "success" + "name": [ + "High volume of content detected test", + "Mid volume of content detected test" + ] + }, + "source": { + "user": { + "email": "asr@testsiem2.onmicrosoft.com" + } }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "DlpAgent" } }, { + "@timestamp": "2020-02-24T20:11:15.000Z", "destination": { "user": { "email": [ @@ -703,237 +700,234 @@ ] } }, - "rule": { - "name": [ - "Low volume of content detected test" + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "DlpRuleMatch", + "category": [ + "web", + "file" ], - "id": [ - "8398c03a-a00d-42bb-8f80-ead0ad04e1df" + "code": "ComplianceDLPExchange", + "id": "a42123a9-1c07-4dde-9be6-ac71cb9fd16b", + "kind": "alert", + "original": "{\"CreationTime\":\"2020-02-24T20:11:15\",\"ExchangeMetaData\":{\"BCC\":[],\"CC\":[\"asr@example.net\"],\"FileSize\":13310,\"From\":\"asr@testsiem2.onmicrosoft.com\",\"MessageID\":\"\\u003cAM0PR05MB4803CDA6206C2F2FEB36DB5AB8EC0@AM0PR05MB4803.eurprd05.prod.outlook.com\\u003e\",\"RecipientCount\":2,\"Sent\":\"2020-02-24T20:11:14\",\"Subject\":\"Here's the phony data\",\"To\":[\"asr@example.org\"],\"UniqueID\":\"8e103f2f-b293-4062-38b8-08d7b965b2fa\"},\"Id\":\"a42123a9-1c07-4dde-9be6-ac71cb9fd16b\",\"IncidentId\":\"c1dc582b-fa61-6020-1800-08d7b966ec64\",\"ObjectId\":\"\\u003cAM0PR05MB4803CDA6206C2F2FEB36DB5AB8EC0@AM0PR05MB4803.eurprd05.prod.outlook.com\\u003e\",\"Operation\":\"DlpRuleMatch\",\"OrganizationId\":\"0e1dddce-163e-4b0b-9e33-87ba56ac4655\",\"PolicyDetails\":[{\"PolicyId\":\"88956b36-45b3-4828-bf53-78603c0e5f58\",\"PolicyName\":\"test\",\"Rules\":[{\"Actions\":[\"NotifyUser\"],\"ConditionsMatched\":{\"OtherConditions\":[{\"Name\":\"AccessScope\",\"Value\":\"IncludeExternalUsers\"}],\"SensitiveInformation\":[{\"Confidence\":75,\"Count\":1,\"Location\":\"Message Body\",\"SensitiveType\":\"419f449f-6d9d-4be1-a154-b531f7a91b41\",\"UniqueCount\":1},{\"Confidence\":75,\"Count\":1,\"Location\":\"Message Body\",\"SensitiveType\":\"b8fe86d1-c056-453b-bfaa-9fe698699ecc\",\"UniqueCount\":1}]},\"RuleId\":\"8398c03a-a00d-42bb-8f80-ead0ad04e1df\",\"RuleMode\":\"Enable\",\"RuleName\":\"Low volume of content detected test\",\"Severity\":\"Low\"}]}],\"RecordType\":13,\"SensitiveInfoDetectionIsIncluded\":false,\"UserId\":\"DlpAgent\",\"UserKey\":\"1153801116545789462\",\"UserType\":4,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "severity": 2, + "type": [ + "info", + "access" ] }, - "source": { - "user": { - "email": "asr@testsiem2.onmicrosoft.com" - } + "host": { + "id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655" }, "message": "Here's the phony data", - "tags": [ - "preserve_original_event" - ], "o365": { "audit": { - "RecordType": "13", - "ObjectId": "\u003cAM0PR05MB4803CDA6206C2F2FEB36DB5AB8EC0@AM0PR05MB4803.eurprd05.prod.outlook.com\u003e", - "Version": "1", + "CreationTime": "2020-02-24T20:11:15", "ExchangeMetaData": { + "BCC": [], "CC": [ "asr@example.net" ], - "UniqueID": "8e103f2f-b293-4062-38b8-08d7b965b2fa", - "BCC": [], + "FileSize": 13310, + "MessageID": "\u003cAM0PR05MB4803CDA6206C2F2FEB36DB5AB8EC0@AM0PR05MB4803.eurprd05.prod.outlook.com\u003e", + "RecipientCount": 2, + "Sent": "2020-02-24T20:11:14", "To": [ "asr@example.org" ], - "RecipientCount": 2, - "FileSize": 13310, - "MessageID": "\u003cAM0PR05MB4803CDA6206C2F2FEB36DB5AB8EC0@AM0PR05MB4803.eurprd05.prod.outlook.com\u003e", - "Sent": "2020-02-24T20:11:14" + "UniqueID": "8e103f2f-b293-4062-38b8-08d7b965b2fa" }, - "UserId": "DlpAgent", - "UserKey": "1153801116545789462", - "CreationTime": "2020-02-24T20:11:15", + "IncidentId": "c1dc582b-fa61-6020-1800-08d7b966ec64", + "ObjectId": "\u003cAM0PR05MB4803CDA6206C2F2FEB36DB5AB8EC0@AM0PR05MB4803.eurprd05.prod.outlook.com\u003e", "PolicyDetails": [ { + "PolicyId": "88956b36-45b3-4828-bf53-78603c0e5f58", + "PolicyName": "test", "Rules": [ { + "Actions": [ + "NotifyUser" + ], "ConditionsMatched": { + "OtherConditions": [ + { + "Name": "AccessScope", + "Value": "IncludeExternalUsers" + } + ], "SensitiveInformation": [ { - "Count": 1, "Confidence": 75, - "UniqueCount": 1, + "Count": 1, "Location": "Message Body", - "SensitiveType": "419f449f-6d9d-4be1-a154-b531f7a91b41" + "SensitiveType": "419f449f-6d9d-4be1-a154-b531f7a91b41", + "UniqueCount": 1 }, { - "Count": 1, "Confidence": 75, - "UniqueCount": 1, + "Count": 1, "Location": "Message Body", - "SensitiveType": "b8fe86d1-c056-453b-bfaa-9fe698699ecc" - } - ], - "OtherConditions": [ - { - "Value": "IncludeExternalUsers", - "Name": "AccessScope" + "SensitiveType": "b8fe86d1-c056-453b-bfaa-9fe698699ecc", + "UniqueCount": 1 } ] }, - "Severity": "Low", - "Actions": [ - "NotifyUser" - ], - "RuleName": "Low volume of content detected test", "RuleId": "8398c03a-a00d-42bb-8f80-ead0ad04e1df", - "RuleMode": "Enable" + "RuleMode": "Enable", + "RuleName": "Low volume of content detected test", + "Severity": "Low" } - ], - "PolicyId": "88956b36-45b3-4828-bf53-78603c0e5f58", - "PolicyName": "test" + ] } ], + "RecordType": "13", + "SensitiveInfoDetectionIsIncluded": false, + "UserId": "DlpAgent", + "UserKey": "1153801116545789462", "UserType": "4", - "IncidentId": "c1dc582b-fa61-6020-1800-08d7b966ec64", - "SensitiveInfoDetectionIsIncluded": false + "Version": "1" } }, - "@timestamp": "2020-02-24T20:11:15.000Z", - "ecs": { - "version": "8.0.0" - }, "organization": { "id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655" }, - "host": { - "id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655" - }, - "event": { - "severity": 2, - "ingested": "2022-01-02T03:49:47.263741398Z", - "original": "{\"CreationTime\":\"2020-02-24T20:11:15\",\"ExchangeMetaData\":{\"BCC\":[],\"CC\":[\"asr@example.net\"],\"FileSize\":13310,\"From\":\"asr@testsiem2.onmicrosoft.com\",\"MessageID\":\"\\u003cAM0PR05MB4803CDA6206C2F2FEB36DB5AB8EC0@AM0PR05MB4803.eurprd05.prod.outlook.com\\u003e\",\"RecipientCount\":2,\"Sent\":\"2020-02-24T20:11:14\",\"Subject\":\"Here's the phony data\",\"To\":[\"asr@example.org\"],\"UniqueID\":\"8e103f2f-b293-4062-38b8-08d7b965b2fa\"},\"Id\":\"a42123a9-1c07-4dde-9be6-ac71cb9fd16b\",\"IncidentId\":\"c1dc582b-fa61-6020-1800-08d7b966ec64\",\"ObjectId\":\"\\u003cAM0PR05MB4803CDA6206C2F2FEB36DB5AB8EC0@AM0PR05MB4803.eurprd05.prod.outlook.com\\u003e\",\"Operation\":\"DlpRuleMatch\",\"OrganizationId\":\"0e1dddce-163e-4b0b-9e33-87ba56ac4655\",\"PolicyDetails\":[{\"PolicyId\":\"88956b36-45b3-4828-bf53-78603c0e5f58\",\"PolicyName\":\"test\",\"Rules\":[{\"Actions\":[\"NotifyUser\"],\"ConditionsMatched\":{\"OtherConditions\":[{\"Name\":\"AccessScope\",\"Value\":\"IncludeExternalUsers\"}],\"SensitiveInformation\":[{\"Confidence\":75,\"Count\":1,\"Location\":\"Message Body\",\"SensitiveType\":\"419f449f-6d9d-4be1-a154-b531f7a91b41\",\"UniqueCount\":1},{\"Confidence\":75,\"Count\":1,\"Location\":\"Message Body\",\"SensitiveType\":\"b8fe86d1-c056-453b-bfaa-9fe698699ecc\",\"UniqueCount\":1}]},\"RuleId\":\"8398c03a-a00d-42bb-8f80-ead0ad04e1df\",\"RuleMode\":\"Enable\",\"RuleName\":\"Low volume of content detected test\",\"Severity\":\"Low\"}]}],\"RecordType\":13,\"SensitiveInfoDetectionIsIncluded\":false,\"UserId\":\"DlpAgent\",\"UserKey\":\"1153801116545789462\",\"UserType\":4,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ComplianceDLPExchange", - "provider": "Exchange", - "kind": "alert", - "action": "DlpRuleMatch", - "id": "a42123a9-1c07-4dde-9be6-ac71cb9fd16b", - "type": [ - "info", - "access" - ], - "category": [ - "web", - "file" + "rule": { + "id": [ + "8398c03a-a00d-42bb-8f80-ead0ad04e1df" ], - "outcome": "success" + "name": [ + "Low volume of content detected test" + ] }, + "source": { + "user": { + "email": "asr@testsiem2.onmicrosoft.com" + } + }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "DlpAgent" } }, { - "rule": { - "name": [ - "Low volume of content detected test" + "@timestamp": "2020-02-24T20:11:15.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "DlpRuleMatch", + "category": [ + "web", + "file" ], - "id": [ - "8398c03a-a00d-42bb-8f80-ead0ad04e1df" + "code": "ComplianceDLPExchange", + "id": "a42123a9-1c07-4dde-9be6-ac71cb9fd16b", + "kind": "alert", + "original": "{\"CreationTime\":\"2020-02-24T20:11:15\",\"Id\":\"a42123a9-1c07-4dde-9be6-ac71cb9fd16b\",\"IncidentId\":\"c1dc582b-fa61-6020-1800-08d7b966ec64\",\"ObjectId\":\"\\u003cAM0PR05MB4803CDA6206C2F2FEB36DB5AB8EC0@AM0PR05MB4803.eurprd05.prod.outlook.com\\u003e\",\"Operation\":\"DlpRuleMatch\",\"OrganizationId\":\"0e1dddce-163e-4b0b-9e33-87ba56ac4655\",\"PolicyDetails\":[{\"PolicyId\":\"88956b36-45b3-4828-bf53-78603c0e5f58\",\"PolicyName\":\"test\",\"Rules\":[{\"Actions\":[\"NotifyUser\"],\"ConditionsMatched\":{\"OtherConditions\":[{\"Name\":\"AccessScope\",\"Value\":\"IncludeExternalUsers\"}],\"SensitiveInformation\":[{\"Confidence\":75,\"Count\":1,\"Location\":\"Message Body\",\"SensitiveType\":\"419f449f-6d9d-4be1-a154-b531f7a91b41\",\"UniqueCount\":1},{\"Confidence\":75,\"Count\":1,\"Location\":\"Message Body\",\"SensitiveType\":\"b8fe86d1-c056-453b-bfaa-9fe698699ecc\",\"UniqueCount\":1}]},\"RuleId\":\"8398c03a-a00d-42bb-8f80-ead0ad04e1df\",\"RuleMode\":\"Enable\",\"RuleName\":\"Low volume of content detected test\",\"Severity\":\"Low\"}]}],\"RecordType\":13,\"SensitiveInfoDetectionIsIncluded\":false,\"SharePointMetaData\":{\"FileName\":\"Company-Internal-Financial.docx\",\"FileOwner\":\"alice@testsiem2.onmicrosoft.com\",\"FilePathUrl\":\"https://example.net/testsiem2.onmicrosoft.com/sharepoint\",\"From\":\"alice@testsiem2.onmicrosoft.com\",\"LastModifiedTime\":\"2020-02-24T12:13:14Z\",\"UniqueID\":\"8e103f2f-b293-4062-38b8-08d7b965b2fa\",\"itemCreationTime\":\"2020-02-20T11:23:45\"},\"UserId\":\"DlpAgent\",\"UserKey\":\"1153801116545789462\",\"UserType\":4,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "severity": 2, + "type": [ + "info", + "access" ] }, - "url": { - "original": "https://example.net/testsiem2.onmicrosoft.com/sharepoint" + "file": { + "inode": "8e103f2f-b293-4062-38b8-08d7b965b2fa", + "mtime": "2020-02-24T12:13:14.000Z", + "name": "Company-Internal-Financial.docx", + "owner": "alice@testsiem2.onmicrosoft.com" + }, + "host": { + "id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655" }, - "tags": [ - "preserve_original_event" - ], "o365": { "audit": { - "RecordType": "13", - "ObjectId": "\u003cAM0PR05MB4803CDA6206C2F2FEB36DB5AB8EC0@AM0PR05MB4803.eurprd05.prod.outlook.com\u003e", - "Version": "1", - "UserId": "DlpAgent", - "UserKey": "1153801116545789462", "CreationTime": "2020-02-24T20:11:15", - "SharePointMetaData": { - "LastModifiedTime": "2020-02-24T12:13:14Z", - "itemCreationTime": "2020-02-20T11:23:45", - "From": "alice@testsiem2.onmicrosoft.com" - }, + "IncidentId": "c1dc582b-fa61-6020-1800-08d7b966ec64", + "ObjectId": "\u003cAM0PR05MB4803CDA6206C2F2FEB36DB5AB8EC0@AM0PR05MB4803.eurprd05.prod.outlook.com\u003e", "PolicyDetails": [ { + "PolicyId": "88956b36-45b3-4828-bf53-78603c0e5f58", + "PolicyName": "test", "Rules": [ { + "Actions": [ + "NotifyUser" + ], "ConditionsMatched": { + "OtherConditions": [ + { + "Name": "AccessScope", + "Value": "IncludeExternalUsers" + } + ], "SensitiveInformation": [ { - "Count": 1, "Confidence": 75, - "UniqueCount": 1, + "Count": 1, "Location": "Message Body", - "SensitiveType": "419f449f-6d9d-4be1-a154-b531f7a91b41" + "SensitiveType": "419f449f-6d9d-4be1-a154-b531f7a91b41", + "UniqueCount": 1 }, { - "Count": 1, "Confidence": 75, - "UniqueCount": 1, + "Count": 1, "Location": "Message Body", - "SensitiveType": "b8fe86d1-c056-453b-bfaa-9fe698699ecc" - } - ], - "OtherConditions": [ - { - "Value": "IncludeExternalUsers", - "Name": "AccessScope" + "SensitiveType": "b8fe86d1-c056-453b-bfaa-9fe698699ecc", + "UniqueCount": 1 } ] }, - "Severity": "Low", - "Actions": [ - "NotifyUser" - ], - "RuleName": "Low volume of content detected test", "RuleId": "8398c03a-a00d-42bb-8f80-ead0ad04e1df", - "RuleMode": "Enable" + "RuleMode": "Enable", + "RuleName": "Low volume of content detected test", + "Severity": "Low" } - ], - "PolicyId": "88956b36-45b3-4828-bf53-78603c0e5f58", - "PolicyName": "test" + ] } ], + "RecordType": "13", + "SensitiveInfoDetectionIsIncluded": false, + "SharePointMetaData": { + "From": "alice@testsiem2.onmicrosoft.com", + "LastModifiedTime": "2020-02-24T12:13:14Z", + "itemCreationTime": "2020-02-20T11:23:45" + }, + "UserId": "DlpAgent", + "UserKey": "1153801116545789462", "UserType": "4", - "IncidentId": "c1dc582b-fa61-6020-1800-08d7b966ec64", - "SensitiveInfoDetectionIsIncluded": false + "Version": "1" } }, - "@timestamp": "2020-02-24T20:11:15.000Z", - "file": { - "inode": "8e103f2f-b293-4062-38b8-08d7b965b2fa", - "owner": "alice@testsiem2.onmicrosoft.com", - "name": "Company-Internal-Financial.docx", - "mtime": "2020-02-24T12:13:14.000Z" - }, - "ecs": { - "version": "8.0.0" + "organization": { + "id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655" }, "related": { "user": [ "alice@testsiem2.onmicrosoft.com" ] }, - "organization": { - "id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655" - }, - "host": { - "id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655" - }, - "event": { - "severity": 2, - "ingested": "2022-01-02T03:49:47.263742173Z", - "original": "{\"CreationTime\":\"2020-02-24T20:11:15\",\"Id\":\"a42123a9-1c07-4dde-9be6-ac71cb9fd16b\",\"IncidentId\":\"c1dc582b-fa61-6020-1800-08d7b966ec64\",\"ObjectId\":\"\\u003cAM0PR05MB4803CDA6206C2F2FEB36DB5AB8EC0@AM0PR05MB4803.eurprd05.prod.outlook.com\\u003e\",\"Operation\":\"DlpRuleMatch\",\"OrganizationId\":\"0e1dddce-163e-4b0b-9e33-87ba56ac4655\",\"PolicyDetails\":[{\"PolicyId\":\"88956b36-45b3-4828-bf53-78603c0e5f58\",\"PolicyName\":\"test\",\"Rules\":[{\"Actions\":[\"NotifyUser\"],\"ConditionsMatched\":{\"OtherConditions\":[{\"Name\":\"AccessScope\",\"Value\":\"IncludeExternalUsers\"}],\"SensitiveInformation\":[{\"Confidence\":75,\"Count\":1,\"Location\":\"Message Body\",\"SensitiveType\":\"419f449f-6d9d-4be1-a154-b531f7a91b41\",\"UniqueCount\":1},{\"Confidence\":75,\"Count\":1,\"Location\":\"Message Body\",\"SensitiveType\":\"b8fe86d1-c056-453b-bfaa-9fe698699ecc\",\"UniqueCount\":1}]},\"RuleId\":\"8398c03a-a00d-42bb-8f80-ead0ad04e1df\",\"RuleMode\":\"Enable\",\"RuleName\":\"Low volume of content detected test\",\"Severity\":\"Low\"}]}],\"RecordType\":13,\"SensitiveInfoDetectionIsIncluded\":false,\"SharePointMetaData\":{\"FileName\":\"Company-Internal-Financial.docx\",\"FileOwner\":\"alice@testsiem2.onmicrosoft.com\",\"FilePathUrl\":\"https://example.net/testsiem2.onmicrosoft.com/sharepoint\",\"From\":\"alice@testsiem2.onmicrosoft.com\",\"LastModifiedTime\":\"2020-02-24T12:13:14Z\",\"UniqueID\":\"8e103f2f-b293-4062-38b8-08d7b965b2fa\",\"itemCreationTime\":\"2020-02-20T11:23:45\"},\"UserId\":\"DlpAgent\",\"UserKey\":\"1153801116545789462\",\"UserType\":4,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ComplianceDLPExchange", - "provider": "Exchange", - "kind": "alert", - "action": "DlpRuleMatch", - "id": "a42123a9-1c07-4dde-9be6-ac71cb9fd16b", - "type": [ - "info", - "access" - ], - "category": [ - "web", - "file" + "rule": { + "id": [ + "8398c03a-a00d-42bb-8f80-ead0ad04e1df" ], - "outcome": "success" + "name": [ + "Low volume of content detected test" + ] + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "original": "https://example.net/testsiem2.onmicrosoft.com/sharepoint" }, "user": { "id": "DlpAgent" diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-dlp-sharepoint-events.json-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-dlp-sharepoint-events.json-expected.json index dc4062c4277..49ce031a9aa 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-dlp-sharepoint-events.json-expected.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-dlp-sharepoint-events.json-expected.json @@ -1,45 +1,51 @@ { "expected": [ { - "rule": { - "name": [ - "Low volume of content detected U.S. Financial" + "@timestamp": "2020-02-25T16:20:15.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "DLPRuleMatch", + "category": [ + "web", + "file" ], - "id": [ - "c5981414-9f1f-4275-a2df-2fbfb1d03795" + "code": "ComplianceDLPSharePoint", + "id": "a21f13b9-22b6-405b-bf9e-a07ad8d456da", + "kind": "alert", + "original": "{\"CreationTime\":\"2020-02-25T16:20:15\",\"Id\":\"a21f13b9-22b6-405b-bf9e-a07ad8d456da\",\"IncidentId\":\"3066c3c5-eb56-dd03-b000-08d7ba115afd\",\"ObjectId\":\"9cc7be1c-dd5a-4895-b7cb-757de6d51b42\",\"Operation\":\"DLPRuleMatch\",\"OrganizationId\":\"0e1dddce-163e-4b0b-9e33-87ba56ac4655\",\"PolicyDetails\":[{\"PolicyId\":\"a15b4790-085f-43c1-90ad-853b16cedeec\",\"PolicyName\":\"U.S. Financial Data\",\"Rules\":[{\"ActionParameters\":[],\"Actions\":[\"NotifyUser\"],\"ConditionsMatched\":{\"SensitiveInformation\":[{\"Confidence\":75,\"Count\":1,\"SensitiveType\":\"cb353f78-2b72-4c3c-8827-92ebe4f69fdf\"}]},\"RuleId\":\"c5981414-9f1f-4275-a2df-2fbfb1d03795\",\"RuleMode\":\"Enable\",\"RuleName\":\"Low volume of content detected U.S. Financial\",\"Severity\":\"Low\"}]}],\"RecordType\":11,\"SensitiveInfoDetectionIsIncluded\":false,\"SharePointMetaData\":{\"FileName\":\"Customers Financial Data.docx\",\"FileOwner\":\"Alan Smithee\",\"FilePathUrl\":\"https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com/Documents/Customers%20Financial%20Data.docx\",\"From\":\"ASR@TESTSIEM2.ONMICROSOFT.COM\",\"ItemCreationTime\":\"2020-02-25T15:22:49\",\"ItemLastModifiedTime\":\"2020-02-25T16:19:43\",\"SiteCollectionGuid\":\"eae3edad-a192-43a9-b317-98d7ea5e3939\",\"SiteCollectionUrl\":\"https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com\",\"UniqueID\":\"9cc7be1c-dd5a-4895-b7cb-757de6d51b42\"},\"UserId\":\"DlpPolicyEventBasedAssistantOneDriveForBusiness\",\"UserKey\":\"DlpPolicyEventBasedAssistantOneDriveForBusiness\",\"UserType\":4,\"Version\":1,\"Workload\":\"OneDrive\"}", + "outcome": "success", + "provider": "OneDrive", + "severity": 2, + "type": [ + "info", + "access" ] }, - "url": { - "original": "https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com/Documents/Customers%20Financial%20Data.docx" + "file": { + "inode": "9cc7be1c-dd5a-4895-b7cb-757de6d51b42", + "name": "Customers Financial Data.docx", + "owner": "Alan Smithee" + }, + "host": { + "id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655" }, - "tags": [ - "preserve_original_event" - ], "o365": { "audit": { - "RecordType": "11", - "ObjectId": "9cc7be1c-dd5a-4895-b7cb-757de6d51b42", - "Version": "1", - "UserId": "DlpPolicyEventBasedAssistantOneDriveForBusiness", - "UserKey": "DlpPolicyEventBasedAssistantOneDriveForBusiness", "CreationTime": "2020-02-25T16:20:15", - "SharePointMetaData": { - "From": "ASR@TESTSIEM2.ONMICROSOFT.COM", - "SiteCollectionGuid": "eae3edad-a192-43a9-b317-98d7ea5e3939", - "SiteCollectionUrl": "https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com", - "ItemCreationTime": "2020-02-25T15:22:49", - "ItemLastModifiedTime": "2020-02-25T16:19:43" - }, + "IncidentId": "3066c3c5-eb56-dd03-b000-08d7ba115afd", + "ObjectId": "9cc7be1c-dd5a-4895-b7cb-757de6d51b42", "PolicyDetails": [ { + "PolicyId": "a15b4790-085f-43c1-90ad-853b16cedeec", + "PolicyName": "U.S. Financial Data", "Rules": [ { "ActionParameters": [], "Actions": [ "NotifyUser" ], - "RuleId": "c5981414-9f1f-4275-a2df-2fbfb1d03795", - "RuleMode": "Enable", "ConditionsMatched": { "SensitiveInformation": [ { @@ -49,94 +55,95 @@ } ] }, - "Severity": "Low", - "RuleName": "Low volume of content detected U.S. Financial" + "RuleId": "c5981414-9f1f-4275-a2df-2fbfb1d03795", + "RuleMode": "Enable", + "RuleName": "Low volume of content detected U.S. Financial", + "Severity": "Low" } - ], - "PolicyId": "a15b4790-085f-43c1-90ad-853b16cedeec", - "PolicyName": "U.S. Financial Data" + ] } ], + "RecordType": "11", + "SensitiveInfoDetectionIsIncluded": false, + "SharePointMetaData": { + "From": "ASR@TESTSIEM2.ONMICROSOFT.COM", + "ItemCreationTime": "2020-02-25T15:22:49", + "ItemLastModifiedTime": "2020-02-25T16:19:43", + "SiteCollectionGuid": "eae3edad-a192-43a9-b317-98d7ea5e3939", + "SiteCollectionUrl": "https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com" + }, + "UserId": "DlpPolicyEventBasedAssistantOneDriveForBusiness", + "UserKey": "DlpPolicyEventBasedAssistantOneDriveForBusiness", "UserType": "4", - "IncidentId": "3066c3c5-eb56-dd03-b000-08d7ba115afd", - "SensitiveInfoDetectionIsIncluded": false + "Version": "1" } }, - "@timestamp": "2020-02-25T16:20:15.000Z", - "file": { - "inode": "9cc7be1c-dd5a-4895-b7cb-757de6d51b42", - "owner": "Alan Smithee", - "name": "Customers Financial Data.docx" - }, - "ecs": { - "version": "8.0.0" + "organization": { + "id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655" }, "related": { "user": [ "Alan Smithee" ] }, - "organization": { - "id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655" - }, - "host": { - "id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655" - }, - "event": { - "severity": 2, - "ingested": "2022-01-02T03:49:49.578342259Z", - "original": "{\"CreationTime\":\"2020-02-25T16:20:15\",\"Id\":\"a21f13b9-22b6-405b-bf9e-a07ad8d456da\",\"IncidentId\":\"3066c3c5-eb56-dd03-b000-08d7ba115afd\",\"ObjectId\":\"9cc7be1c-dd5a-4895-b7cb-757de6d51b42\",\"Operation\":\"DLPRuleMatch\",\"OrganizationId\":\"0e1dddce-163e-4b0b-9e33-87ba56ac4655\",\"PolicyDetails\":[{\"PolicyId\":\"a15b4790-085f-43c1-90ad-853b16cedeec\",\"PolicyName\":\"U.S. Financial Data\",\"Rules\":[{\"ActionParameters\":[],\"Actions\":[\"NotifyUser\"],\"ConditionsMatched\":{\"SensitiveInformation\":[{\"Confidence\":75,\"Count\":1,\"SensitiveType\":\"cb353f78-2b72-4c3c-8827-92ebe4f69fdf\"}]},\"RuleId\":\"c5981414-9f1f-4275-a2df-2fbfb1d03795\",\"RuleMode\":\"Enable\",\"RuleName\":\"Low volume of content detected U.S. Financial\",\"Severity\":\"Low\"}]}],\"RecordType\":11,\"SensitiveInfoDetectionIsIncluded\":false,\"SharePointMetaData\":{\"FileName\":\"Customers Financial Data.docx\",\"FileOwner\":\"Alan Smithee\",\"FilePathUrl\":\"https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com/Documents/Customers%20Financial%20Data.docx\",\"From\":\"ASR@TESTSIEM2.ONMICROSOFT.COM\",\"ItemCreationTime\":\"2020-02-25T15:22:49\",\"ItemLastModifiedTime\":\"2020-02-25T16:19:43\",\"SiteCollectionGuid\":\"eae3edad-a192-43a9-b317-98d7ea5e3939\",\"SiteCollectionUrl\":\"https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com\",\"UniqueID\":\"9cc7be1c-dd5a-4895-b7cb-757de6d51b42\"},\"UserId\":\"DlpPolicyEventBasedAssistantOneDriveForBusiness\",\"UserKey\":\"DlpPolicyEventBasedAssistantOneDriveForBusiness\",\"UserType\":4,\"Version\":1,\"Workload\":\"OneDrive\"}", - "code": "ComplianceDLPSharePoint", - "provider": "OneDrive", - "kind": "alert", - "action": "DLPRuleMatch", - "id": "a21f13b9-22b6-405b-bf9e-a07ad8d456da", - "type": [ - "info", - "access" - ], - "category": [ - "web", - "file" + "rule": { + "id": [ + "c5981414-9f1f-4275-a2df-2fbfb1d03795" ], - "outcome": "success" + "name": [ + "Low volume of content detected U.S. Financial" + ] + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "original": "https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com/Documents/Customers%20Financial%20Data.docx" }, "user": { "id": "DlpPolicyEventBasedAssistantOneDriveForBusiness" } }, { - "rule": { - "name": [ - "High volume of content detected U.S. Financial" + "@timestamp": "2020-02-25T16:23:39.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "DLPRuleMatch", + "category": [ + "web", + "file" ], - "id": [ - "7503b92a-67c2-494b-8a46-57ef0d738886" + "code": "ComplianceDLPSharePoint", + "id": "eb8259c8-d2c2-449d-bd35-5c8a033eb629", + "kind": "alert", + "original": "{\"CreationTime\":\"2020-02-25T16:23:39\",\"Id\":\"eb8259c8-d2c2-449d-bd35-5c8a033eb629\",\"IncidentId\":\"eeeb7b44-fc69-c19f-b000-08d7ba115afd\",\"ObjectId\":\"856386d5-c9cd-46e9-b53b-fd01ed590b68\",\"Operation\":\"DLPRuleMatch\",\"OrganizationId\":\"0e1dddce-163e-4b0b-9e33-87ba56ac4655\",\"PolicyDetails\":[{\"PolicyId\":\"a15b4790-085f-43c1-90ad-853b16cedeec\",\"PolicyName\":\"U.S. Financial Data\",\"Rules\":[{\"ActionParameters\":[\"GenerateIncidentReport:SiteAdmin\"],\"Actions\":[\"BlockAccess\",\"NotifyUser\",\"GenerateIncidentReport\"],\"ConditionsMatched\":{\"SensitiveInformation\":[{\"Confidence\":85,\"Count\":12,\"SensitiveType\":\"50842eb7-edc8-4019-85dd-5a5c1f2bb085\"},{\"Confidence\":75,\"Count\":1,\"SensitiveType\":\"cb353f78-2b72-4c3c-8827-92ebe4f69fdf\"}]},\"RuleId\":\"7503b92a-67c2-494b-8a46-57ef0d738886\",\"RuleMode\":\"Enable\",\"RuleName\":\"High volume of content detected U.S. Financial\",\"Severity\":\"High\"}]}],\"RecordType\":11,\"SensitiveInfoDetectionIsIncluded\":false,\"SharePointMetaData\":{\"FileName\":\"Customers Financial Data Copy.docx\",\"FileOwner\":\"Alan Smithee\",\"FilePathUrl\":\"https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com/Documents/Customers%20Financial%20Data%20Copy.docx\",\"From\":\"ASR@TESTSIEM2.ONMICROSOFT.COM\",\"ItemCreationTime\":\"2020-02-25T16:21:50\",\"ItemLastModifiedTime\":\"2020-02-25T16:21:44\",\"SiteCollectionGuid\":\"eae3edad-a192-43a9-b317-98d7ea5e3939\",\"SiteCollectionUrl\":\"https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com\",\"UniqueID\":\"856386d5-c9cd-46e9-b53b-fd01ed590b68\"},\"UserId\":\"DlpPolicyEventBasedAssistantOneDriveForBusiness\",\"UserKey\":\"DlpPolicyEventBasedAssistantOneDriveForBusiness\",\"UserType\":4,\"Version\":1,\"Workload\":\"OneDrive\"}", + "outcome": "failure", + "provider": "OneDrive", + "severity": 4, + "type": [ + "info", + "access" ] }, - "url": { - "original": "https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com/Documents/Customers%20Financial%20Data%20Copy.docx" + "file": { + "inode": "856386d5-c9cd-46e9-b53b-fd01ed590b68", + "name": "Customers Financial Data Copy.docx", + "owner": "Alan Smithee" + }, + "host": { + "id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655" }, - "tags": [ - "preserve_original_event" - ], "o365": { "audit": { - "RecordType": "11", - "ObjectId": "856386d5-c9cd-46e9-b53b-fd01ed590b68", - "Version": "1", - "UserId": "DlpPolicyEventBasedAssistantOneDriveForBusiness", - "UserKey": "DlpPolicyEventBasedAssistantOneDriveForBusiness", "CreationTime": "2020-02-25T16:23:39", - "SharePointMetaData": { - "From": "ASR@TESTSIEM2.ONMICROSOFT.COM", - "SiteCollectionGuid": "eae3edad-a192-43a9-b317-98d7ea5e3939", - "SiteCollectionUrl": "https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com", - "ItemCreationTime": "2020-02-25T16:21:50", - "ItemLastModifiedTime": "2020-02-25T16:21:44" - }, + "IncidentId": "eeeb7b44-fc69-c19f-b000-08d7ba115afd", + "ObjectId": "856386d5-c9cd-46e9-b53b-fd01ed590b68", "PolicyDetails": [ { + "PolicyId": "a15b4790-085f-43c1-90ad-853b16cedeec", + "PolicyName": "U.S. Financial Data", "Rules": [ { "ActionParameters": [ @@ -147,8 +154,6 @@ "NotifyUser", "GenerateIncidentReport" ], - "RuleId": "7503b92a-67c2-494b-8a46-57ef0d738886", - "RuleMode": "Enable", "ConditionsMatched": { "SensitiveInformation": [ { @@ -163,102 +168,101 @@ } ] }, - "Severity": "High", - "RuleName": "High volume of content detected U.S. Financial" + "RuleId": "7503b92a-67c2-494b-8a46-57ef0d738886", + "RuleMode": "Enable", + "RuleName": "High volume of content detected U.S. Financial", + "Severity": "High" } - ], - "PolicyId": "a15b4790-085f-43c1-90ad-853b16cedeec", - "PolicyName": "U.S. Financial Data" + ] } ], + "RecordType": "11", + "SensitiveInfoDetectionIsIncluded": false, + "SharePointMetaData": { + "From": "ASR@TESTSIEM2.ONMICROSOFT.COM", + "ItemCreationTime": "2020-02-25T16:21:50", + "ItemLastModifiedTime": "2020-02-25T16:21:44", + "SiteCollectionGuid": "eae3edad-a192-43a9-b317-98d7ea5e3939", + "SiteCollectionUrl": "https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com" + }, + "UserId": "DlpPolicyEventBasedAssistantOneDriveForBusiness", + "UserKey": "DlpPolicyEventBasedAssistantOneDriveForBusiness", "UserType": "4", - "IncidentId": "eeeb7b44-fc69-c19f-b000-08d7ba115afd", - "SensitiveInfoDetectionIsIncluded": false + "Version": "1" } }, - "@timestamp": "2020-02-25T16:23:39.000Z", - "file": { - "inode": "856386d5-c9cd-46e9-b53b-fd01ed590b68", - "owner": "Alan Smithee", - "name": "Customers Financial Data Copy.docx" - }, - "ecs": { - "version": "8.0.0" + "organization": { + "id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655" }, "related": { "user": [ "Alan Smithee" ] }, - "organization": { - "id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655" - }, - "host": { - "id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655" - }, - "event": { - "severity": 4, - "ingested": "2022-01-02T03:49:49.578345387Z", - "original": "{\"CreationTime\":\"2020-02-25T16:23:39\",\"Id\":\"eb8259c8-d2c2-449d-bd35-5c8a033eb629\",\"IncidentId\":\"eeeb7b44-fc69-c19f-b000-08d7ba115afd\",\"ObjectId\":\"856386d5-c9cd-46e9-b53b-fd01ed590b68\",\"Operation\":\"DLPRuleMatch\",\"OrganizationId\":\"0e1dddce-163e-4b0b-9e33-87ba56ac4655\",\"PolicyDetails\":[{\"PolicyId\":\"a15b4790-085f-43c1-90ad-853b16cedeec\",\"PolicyName\":\"U.S. Financial Data\",\"Rules\":[{\"ActionParameters\":[\"GenerateIncidentReport:SiteAdmin\"],\"Actions\":[\"BlockAccess\",\"NotifyUser\",\"GenerateIncidentReport\"],\"ConditionsMatched\":{\"SensitiveInformation\":[{\"Confidence\":85,\"Count\":12,\"SensitiveType\":\"50842eb7-edc8-4019-85dd-5a5c1f2bb085\"},{\"Confidence\":75,\"Count\":1,\"SensitiveType\":\"cb353f78-2b72-4c3c-8827-92ebe4f69fdf\"}]},\"RuleId\":\"7503b92a-67c2-494b-8a46-57ef0d738886\",\"RuleMode\":\"Enable\",\"RuleName\":\"High volume of content detected U.S. Financial\",\"Severity\":\"High\"}]}],\"RecordType\":11,\"SensitiveInfoDetectionIsIncluded\":false,\"SharePointMetaData\":{\"FileName\":\"Customers Financial Data Copy.docx\",\"FileOwner\":\"Alan Smithee\",\"FilePathUrl\":\"https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com/Documents/Customers%20Financial%20Data%20Copy.docx\",\"From\":\"ASR@TESTSIEM2.ONMICROSOFT.COM\",\"ItemCreationTime\":\"2020-02-25T16:21:50\",\"ItemLastModifiedTime\":\"2020-02-25T16:21:44\",\"SiteCollectionGuid\":\"eae3edad-a192-43a9-b317-98d7ea5e3939\",\"SiteCollectionUrl\":\"https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com\",\"UniqueID\":\"856386d5-c9cd-46e9-b53b-fd01ed590b68\"},\"UserId\":\"DlpPolicyEventBasedAssistantOneDriveForBusiness\",\"UserKey\":\"DlpPolicyEventBasedAssistantOneDriveForBusiness\",\"UserType\":4,\"Version\":1,\"Workload\":\"OneDrive\"}", - "code": "ComplianceDLPSharePoint", - "provider": "OneDrive", - "kind": "alert", - "action": "DLPRuleMatch", - "id": "eb8259c8-d2c2-449d-bd35-5c8a033eb629", - "type": [ - "info", - "access" - ], - "category": [ - "web", - "file" + "rule": { + "id": [ + "7503b92a-67c2-494b-8a46-57ef0d738886" ], - "outcome": "failure" + "name": [ + "High volume of content detected U.S. Financial" + ] + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "original": "https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com/Documents/Customers%20Financial%20Data%20Copy.docx" }, "user": { "id": "DlpPolicyEventBasedAssistantOneDriveForBusiness" } }, { - "rule": { - "name": [ - "Low volume of content detected U.S. Financial" + "@timestamp": "2020-02-25T16:23:39.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "DLPRuleMatch", + "category": [ + "web", + "file" ], - "id": [ - "c5981414-9f1f-4275-a2df-2fbfb1d03795" + "code": "ComplianceDLPSharePoint", + "id": "50a90c83-7e15-4679-8778-d9dd30927e66", + "kind": "alert", + "original": "{\"CreationTime\":\"2020-02-25T16:23:39\",\"Id\":\"50a90c83-7e15-4679-8778-d9dd30927e66\",\"IncidentId\":\"eeeb7b44-fc69-c19f-b000-08d7ba115afd\",\"ObjectId\":\"856386d5-c9cd-46e9-b53b-fd01ed590b68\",\"Operation\":\"DLPRuleMatch\",\"OrganizationId\":\"0e1dddce-163e-4b0b-9e33-87ba56ac4655\",\"PolicyDetails\":[{\"PolicyId\":\"a15b4790-085f-43c1-90ad-853b16cedeec\",\"PolicyName\":\"U.S. Financial Data\",\"Rules\":[{\"ActionParameters\":[],\"Actions\":[\"NotifyUser\"],\"ConditionsMatched\":{\"SensitiveInformation\":[{\"Confidence\":85,\"Count\":12,\"SensitiveType\":\"50842eb7-edc8-4019-85dd-5a5c1f2bb085\"},{\"Confidence\":75,\"Count\":1,\"SensitiveType\":\"cb353f78-2b72-4c3c-8827-92ebe4f69fdf\"}]},\"RuleId\":\"c5981414-9f1f-4275-a2df-2fbfb1d03795\",\"RuleMode\":\"Enable\",\"RuleName\":\"Low volume of content detected U.S. Financial\",\"Severity\":\"Low\"}]}],\"RecordType\":11,\"SensitiveInfoDetectionIsIncluded\":false,\"SharePointMetaData\":{\"FileName\":\"Customers Financial Data Copy.docx\",\"FileOwner\":\"Alan Smithee\",\"FilePathUrl\":\"https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com/Documents/Customers%20Financial%20Data%20Copy.docx\",\"From\":\"ASR@TESTSIEM2.ONMICROSOFT.COM\",\"ItemCreationTime\":\"2020-02-25T16:21:50\",\"ItemLastModifiedTime\":\"2020-02-25T16:21:44\",\"SiteCollectionGuid\":\"eae3edad-a192-43a9-b317-98d7ea5e3939\",\"SiteCollectionUrl\":\"https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com\",\"UniqueID\":\"856386d5-c9cd-46e9-b53b-fd01ed590b68\"},\"UserId\":\"DlpPolicyEventBasedAssistantOneDriveForBusiness\",\"UserKey\":\"DlpPolicyEventBasedAssistantOneDriveForBusiness\",\"UserType\":4,\"Version\":1,\"Workload\":\"OneDrive\"}", + "outcome": "success", + "provider": "OneDrive", + "severity": 2, + "type": [ + "info", + "access" ] }, - "url": { - "original": "https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com/Documents/Customers%20Financial%20Data%20Copy.docx" + "file": { + "inode": "856386d5-c9cd-46e9-b53b-fd01ed590b68", + "name": "Customers Financial Data Copy.docx", + "owner": "Alan Smithee" + }, + "host": { + "id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655" }, - "tags": [ - "preserve_original_event" - ], "o365": { "audit": { - "RecordType": "11", - "ObjectId": "856386d5-c9cd-46e9-b53b-fd01ed590b68", - "Version": "1", - "UserId": "DlpPolicyEventBasedAssistantOneDriveForBusiness", - "UserKey": "DlpPolicyEventBasedAssistantOneDriveForBusiness", "CreationTime": "2020-02-25T16:23:39", - "SharePointMetaData": { - "From": "ASR@TESTSIEM2.ONMICROSOFT.COM", - "SiteCollectionGuid": "eae3edad-a192-43a9-b317-98d7ea5e3939", - "SiteCollectionUrl": "https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com", - "ItemCreationTime": "2020-02-25T16:21:50", - "ItemLastModifiedTime": "2020-02-25T16:21:44" - }, + "IncidentId": "eeeb7b44-fc69-c19f-b000-08d7ba115afd", + "ObjectId": "856386d5-c9cd-46e9-b53b-fd01ed590b68", "PolicyDetails": [ { + "PolicyId": "a15b4790-085f-43c1-90ad-853b16cedeec", + "PolicyName": "U.S. Financial Data", "Rules": [ { "ActionParameters": [], "Actions": [ "NotifyUser" ], - "RuleId": "c5981414-9f1f-4275-a2df-2fbfb1d03795", - "RuleMode": "Enable", "ConditionsMatched": { "SensitiveInformation": [ { @@ -273,94 +277,95 @@ } ] }, - "Severity": "Low", - "RuleName": "Low volume of content detected U.S. Financial" + "RuleId": "c5981414-9f1f-4275-a2df-2fbfb1d03795", + "RuleMode": "Enable", + "RuleName": "Low volume of content detected U.S. Financial", + "Severity": "Low" } - ], - "PolicyId": "a15b4790-085f-43c1-90ad-853b16cedeec", - "PolicyName": "U.S. Financial Data" + ] } ], - "UserType": "4", - "IncidentId": "eeeb7b44-fc69-c19f-b000-08d7ba115afd", - "SensitiveInfoDetectionIsIncluded": false - } - }, - "@timestamp": "2020-02-25T16:23:39.000Z", - "file": { - "inode": "856386d5-c9cd-46e9-b53b-fd01ed590b68", - "owner": "Alan Smithee", - "name": "Customers Financial Data Copy.docx" + "RecordType": "11", + "SensitiveInfoDetectionIsIncluded": false, + "SharePointMetaData": { + "From": "ASR@TESTSIEM2.ONMICROSOFT.COM", + "ItemCreationTime": "2020-02-25T16:21:50", + "ItemLastModifiedTime": "2020-02-25T16:21:44", + "SiteCollectionGuid": "eae3edad-a192-43a9-b317-98d7ea5e3939", + "SiteCollectionUrl": "https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com" + }, + "UserId": "DlpPolicyEventBasedAssistantOneDriveForBusiness", + "UserKey": "DlpPolicyEventBasedAssistantOneDriveForBusiness", + "UserType": "4", + "Version": "1" + } }, - "ecs": { - "version": "8.0.0" + "organization": { + "id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655" }, "related": { "user": [ "Alan Smithee" ] }, - "organization": { - "id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655" - }, - "host": { - "id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655" - }, - "event": { - "severity": 2, - "ingested": "2022-01-02T03:49:49.578346657Z", - "original": "{\"CreationTime\":\"2020-02-25T16:23:39\",\"Id\":\"50a90c83-7e15-4679-8778-d9dd30927e66\",\"IncidentId\":\"eeeb7b44-fc69-c19f-b000-08d7ba115afd\",\"ObjectId\":\"856386d5-c9cd-46e9-b53b-fd01ed590b68\",\"Operation\":\"DLPRuleMatch\",\"OrganizationId\":\"0e1dddce-163e-4b0b-9e33-87ba56ac4655\",\"PolicyDetails\":[{\"PolicyId\":\"a15b4790-085f-43c1-90ad-853b16cedeec\",\"PolicyName\":\"U.S. Financial Data\",\"Rules\":[{\"ActionParameters\":[],\"Actions\":[\"NotifyUser\"],\"ConditionsMatched\":{\"SensitiveInformation\":[{\"Confidence\":85,\"Count\":12,\"SensitiveType\":\"50842eb7-edc8-4019-85dd-5a5c1f2bb085\"},{\"Confidence\":75,\"Count\":1,\"SensitiveType\":\"cb353f78-2b72-4c3c-8827-92ebe4f69fdf\"}]},\"RuleId\":\"c5981414-9f1f-4275-a2df-2fbfb1d03795\",\"RuleMode\":\"Enable\",\"RuleName\":\"Low volume of content detected U.S. Financial\",\"Severity\":\"Low\"}]}],\"RecordType\":11,\"SensitiveInfoDetectionIsIncluded\":false,\"SharePointMetaData\":{\"FileName\":\"Customers Financial Data Copy.docx\",\"FileOwner\":\"Alan Smithee\",\"FilePathUrl\":\"https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com/Documents/Customers%20Financial%20Data%20Copy.docx\",\"From\":\"ASR@TESTSIEM2.ONMICROSOFT.COM\",\"ItemCreationTime\":\"2020-02-25T16:21:50\",\"ItemLastModifiedTime\":\"2020-02-25T16:21:44\",\"SiteCollectionGuid\":\"eae3edad-a192-43a9-b317-98d7ea5e3939\",\"SiteCollectionUrl\":\"https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com\",\"UniqueID\":\"856386d5-c9cd-46e9-b53b-fd01ed590b68\"},\"UserId\":\"DlpPolicyEventBasedAssistantOneDriveForBusiness\",\"UserKey\":\"DlpPolicyEventBasedAssistantOneDriveForBusiness\",\"UserType\":4,\"Version\":1,\"Workload\":\"OneDrive\"}", - "code": "ComplianceDLPSharePoint", - "provider": "OneDrive", - "kind": "alert", - "action": "DLPRuleMatch", - "id": "50a90c83-7e15-4679-8778-d9dd30927e66", - "type": [ - "info", - "access" - ], - "category": [ - "web", - "file" + "rule": { + "id": [ + "c5981414-9f1f-4275-a2df-2fbfb1d03795" ], - "outcome": "success" + "name": [ + "Low volume of content detected U.S. Financial" + ] + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "original": "https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com/Documents/Customers%20Financial%20Data%20Copy.docx" }, "user": { "id": "DlpPolicyEventBasedAssistantOneDriveForBusiness" } }, { - "rule": { - "name": [ - "High volume of content detected U.S. Financial" + "@timestamp": "2020-02-25T16:22:22.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "DLPRuleMatch", + "category": [ + "web", + "file" ], - "id": [ - "7503b92a-67c2-494b-8a46-57ef0d738886" + "code": "ComplianceDLPSharePoint", + "id": "59652f9a-087c-4b65-b88c-b293ade34202", + "kind": "alert", + "original": "{\"CreationTime\":\"2020-02-25T16:22:22\",\"Id\":\"59652f9a-087c-4b65-b88c-b293ade34202\",\"IncidentId\":\"3066c3c5-eb56-dd03-b000-08d7ba115afd\",\"ObjectId\":\"9cc7be1c-dd5a-4895-b7cb-757de6d51b42\",\"Operation\":\"DLPRuleMatch\",\"OrganizationId\":\"0e1dddce-163e-4b0b-9e33-87ba56ac4655\",\"PolicyDetails\":[{\"PolicyId\":\"a15b4790-085f-43c1-90ad-853b16cedeec\",\"PolicyName\":\"U.S. Financial Data\",\"Rules\":[{\"ActionParameters\":[\"GenerateIncidentReport:SiteAdmin\"],\"Actions\":[\"BlockAccess\",\"NotifyUser\",\"GenerateIncidentReport\"],\"ConditionsMatched\":{\"SensitiveInformation\":[{\"Confidence\":85,\"Count\":12,\"SensitiveType\":\"50842eb7-edc8-4019-85dd-5a5c1f2bb085\"},{\"Confidence\":75,\"Count\":1,\"SensitiveType\":\"cb353f78-2b72-4c3c-8827-92ebe4f69fdf\"}]},\"RuleId\":\"7503b92a-67c2-494b-8a46-57ef0d738886\",\"RuleMode\":\"Enable\",\"RuleName\":\"High volume of content detected U.S. Financial\",\"Severity\":\"High\"}]}],\"RecordType\":11,\"SensitiveInfoDetectionIsIncluded\":false,\"SharePointMetaData\":{\"FileName\":\"Customers Financial Data.docx\",\"FileOwner\":\"Alan Smithee\",\"FilePathUrl\":\"https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com/Documents/Customers%20Financial%20Data.docx\",\"From\":\"ASR@TESTSIEM2.ONMICROSOFT.COM\",\"ItemCreationTime\":\"2020-02-25T15:22:49\",\"ItemLastModifiedTime\":\"2020-02-25T16:21:44\",\"SiteCollectionGuid\":\"eae3edad-a192-43a9-b317-98d7ea5e3939\",\"SiteCollectionUrl\":\"https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com\",\"UniqueID\":\"9cc7be1c-dd5a-4895-b7cb-757de6d51b42\"},\"UserId\":\"DlpPolicyEventBasedAssistantOneDriveForBusiness\",\"UserKey\":\"DlpPolicyEventBasedAssistantOneDriveForBusiness\",\"UserType\":4,\"Version\":1,\"Workload\":\"OneDrive\"}", + "outcome": "failure", + "provider": "OneDrive", + "severity": 4, + "type": [ + "info", + "access" ] }, - "url": { - "original": "https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com/Documents/Customers%20Financial%20Data.docx" + "file": { + "inode": "9cc7be1c-dd5a-4895-b7cb-757de6d51b42", + "name": "Customers Financial Data.docx", + "owner": "Alan Smithee" + }, + "host": { + "id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655" }, - "tags": [ - "preserve_original_event" - ], "o365": { "audit": { - "RecordType": "11", - "ObjectId": "9cc7be1c-dd5a-4895-b7cb-757de6d51b42", - "Version": "1", - "UserId": "DlpPolicyEventBasedAssistantOneDriveForBusiness", - "UserKey": "DlpPolicyEventBasedAssistantOneDriveForBusiness", "CreationTime": "2020-02-25T16:22:22", - "SharePointMetaData": { - "From": "ASR@TESTSIEM2.ONMICROSOFT.COM", - "SiteCollectionGuid": "eae3edad-a192-43a9-b317-98d7ea5e3939", - "SiteCollectionUrl": "https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com", - "ItemCreationTime": "2020-02-25T15:22:49", - "ItemLastModifiedTime": "2020-02-25T16:21:44" - }, + "IncidentId": "3066c3c5-eb56-dd03-b000-08d7ba115afd", + "ObjectId": "9cc7be1c-dd5a-4895-b7cb-757de6d51b42", "PolicyDetails": [ { + "PolicyId": "a15b4790-085f-43c1-90ad-853b16cedeec", + "PolicyName": "U.S. Financial Data", "Rules": [ { "ActionParameters": [ @@ -371,8 +376,6 @@ "NotifyUser", "GenerateIncidentReport" ], - "RuleId": "7503b92a-67c2-494b-8a46-57ef0d738886", - "RuleMode": "Enable", "ConditionsMatched": { "SensitiveInformation": [ { @@ -387,94 +390,95 @@ } ] }, - "Severity": "High", - "RuleName": "High volume of content detected U.S. Financial" + "RuleId": "7503b92a-67c2-494b-8a46-57ef0d738886", + "RuleMode": "Enable", + "RuleName": "High volume of content detected U.S. Financial", + "Severity": "High" } - ], - "PolicyId": "a15b4790-085f-43c1-90ad-853b16cedeec", - "PolicyName": "U.S. Financial Data" + ] } ], + "RecordType": "11", + "SensitiveInfoDetectionIsIncluded": false, + "SharePointMetaData": { + "From": "ASR@TESTSIEM2.ONMICROSOFT.COM", + "ItemCreationTime": "2020-02-25T15:22:49", + "ItemLastModifiedTime": "2020-02-25T16:21:44", + "SiteCollectionGuid": "eae3edad-a192-43a9-b317-98d7ea5e3939", + "SiteCollectionUrl": "https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com" + }, + "UserId": "DlpPolicyEventBasedAssistantOneDriveForBusiness", + "UserKey": "DlpPolicyEventBasedAssistantOneDriveForBusiness", "UserType": "4", - "IncidentId": "3066c3c5-eb56-dd03-b000-08d7ba115afd", - "SensitiveInfoDetectionIsIncluded": false + "Version": "1" } }, - "@timestamp": "2020-02-25T16:22:22.000Z", - "file": { - "inode": "9cc7be1c-dd5a-4895-b7cb-757de6d51b42", - "owner": "Alan Smithee", - "name": "Customers Financial Data.docx" - }, - "ecs": { - "version": "8.0.0" + "organization": { + "id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655" }, "related": { "user": [ "Alan Smithee" ] }, - "organization": { - "id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655" - }, - "host": { - "id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655" - }, - "event": { - "severity": 4, - "ingested": "2022-01-02T03:49:49.578347746Z", - "original": "{\"CreationTime\":\"2020-02-25T16:22:22\",\"Id\":\"59652f9a-087c-4b65-b88c-b293ade34202\",\"IncidentId\":\"3066c3c5-eb56-dd03-b000-08d7ba115afd\",\"ObjectId\":\"9cc7be1c-dd5a-4895-b7cb-757de6d51b42\",\"Operation\":\"DLPRuleMatch\",\"OrganizationId\":\"0e1dddce-163e-4b0b-9e33-87ba56ac4655\",\"PolicyDetails\":[{\"PolicyId\":\"a15b4790-085f-43c1-90ad-853b16cedeec\",\"PolicyName\":\"U.S. Financial Data\",\"Rules\":[{\"ActionParameters\":[\"GenerateIncidentReport:SiteAdmin\"],\"Actions\":[\"BlockAccess\",\"NotifyUser\",\"GenerateIncidentReport\"],\"ConditionsMatched\":{\"SensitiveInformation\":[{\"Confidence\":85,\"Count\":12,\"SensitiveType\":\"50842eb7-edc8-4019-85dd-5a5c1f2bb085\"},{\"Confidence\":75,\"Count\":1,\"SensitiveType\":\"cb353f78-2b72-4c3c-8827-92ebe4f69fdf\"}]},\"RuleId\":\"7503b92a-67c2-494b-8a46-57ef0d738886\",\"RuleMode\":\"Enable\",\"RuleName\":\"High volume of content detected U.S. Financial\",\"Severity\":\"High\"}]}],\"RecordType\":11,\"SensitiveInfoDetectionIsIncluded\":false,\"SharePointMetaData\":{\"FileName\":\"Customers Financial Data.docx\",\"FileOwner\":\"Alan Smithee\",\"FilePathUrl\":\"https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com/Documents/Customers%20Financial%20Data.docx\",\"From\":\"ASR@TESTSIEM2.ONMICROSOFT.COM\",\"ItemCreationTime\":\"2020-02-25T15:22:49\",\"ItemLastModifiedTime\":\"2020-02-25T16:21:44\",\"SiteCollectionGuid\":\"eae3edad-a192-43a9-b317-98d7ea5e3939\",\"SiteCollectionUrl\":\"https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com\",\"UniqueID\":\"9cc7be1c-dd5a-4895-b7cb-757de6d51b42\"},\"UserId\":\"DlpPolicyEventBasedAssistantOneDriveForBusiness\",\"UserKey\":\"DlpPolicyEventBasedAssistantOneDriveForBusiness\",\"UserType\":4,\"Version\":1,\"Workload\":\"OneDrive\"}", - "code": "ComplianceDLPSharePoint", - "provider": "OneDrive", - "kind": "alert", - "action": "DLPRuleMatch", - "id": "59652f9a-087c-4b65-b88c-b293ade34202", - "type": [ - "info", - "access" - ], - "category": [ - "web", - "file" + "rule": { + "id": [ + "7503b92a-67c2-494b-8a46-57ef0d738886" ], - "outcome": "failure" + "name": [ + "High volume of content detected U.S. Financial" + ] + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "original": "https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com/Documents/Customers%20Financial%20Data.docx" }, "user": { "id": "DlpPolicyEventBasedAssistantOneDriveForBusiness" } }, { - "rule": { - "name": [ - "High volume of content detected France Financial" + "@timestamp": "2020-02-26T10:13:48.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "DLPRuleMatch", + "category": [ + "web", + "file" ], - "id": [ - "bc4d376f-b038-4695-9362-609d32f963cf" + "code": "ComplianceDLPSharePoint", + "id": "d69c6758-f210-43bd-bac1-563adef4b4cf", + "kind": "alert", + "original": "{\"CreationTime\":\"2020-02-26T10:13:48\",\"Id\":\"d69c6758-f210-43bd-bac1-563adef4b4cf\",\"IncidentId\":\"f7295114-e601-f2b6-8800-08d7baa56f8b\",\"ObjectId\":\"f026407b-090a-4c15-99b5-09851842d96d\",\"Operation\":\"DLPRuleMatch\",\"OrganizationId\":\"0e1dddce-163e-4b0b-9e33-87ba56ac4655\",\"PolicyDetails\":[{\"PolicyId\":\"08745d02-5d45-48bd-98e1-8199ab1efdbe\",\"PolicyName\":\"Financial Data Detection\",\"Rules\":[{\"ActionParameters\":[\"GenerateIncidentReport:SiteAdmin\"],\"Actions\":[\"BlockAccess\",\"NotifyUser\",\"GenerateIncidentReport\"],\"ConditionsMatched\":{\"SensitiveInformation\":[{\"Confidence\":85,\"Count\":42,\"SensitiveType\":\"50842eb7-edc8-4019-85dd-5a5c1f2bb085\"},{\"Confidence\":85,\"Count\":23,\"SensitiveType\":\"0e9b3178-9678-47dd-a509-37222ca96b42\"}]},\"RuleId\":\"bc4d376f-b038-4695-9362-609d32f963cf\",\"RuleMode\":\"Enable\",\"RuleName\":\"High volume of content detected France Financial\",\"Severity\":\"High\"}]}],\"RecordType\":11,\"SensitiveInfoDetectionIsIncluded\":false,\"SharePointMetaData\":{\"FileName\":\"INTERNAL CREDIT CARD NUMBERS.docx\",\"FileOwner\":\"Alan Smithee\",\"FilePathUrl\":\"https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com/Documents/INTERNAL%20CREDIT%20CARD%20NUMBERS.docx\",\"From\":\"ASR@TESTSIEM2.ONMICROSOFT.COM\",\"ItemCreationTime\":\"2020-02-26T09:44:40\",\"ItemLastModifiedTime\":\"2020-02-26T09:46:23\",\"SiteCollectionGuid\":\"eae3edad-a192-43a9-b317-98d7ea5e3939\",\"SiteCollectionUrl\":\"https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com\",\"UniqueID\":\"f026407b-090a-4c15-99b5-09851842d96d\"},\"UserId\":\"DlpPolicyEventBasedAssistantOneDriveForBusiness\",\"UserKey\":\"DlpPolicyEventBasedAssistantOneDriveForBusiness\",\"UserType\":4,\"Version\":1,\"Workload\":\"OneDrive\"}", + "outcome": "failure", + "provider": "OneDrive", + "severity": 4, + "type": [ + "info", + "access" ] }, - "url": { - "original": "https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com/Documents/INTERNAL%20CREDIT%20CARD%20NUMBERS.docx" + "file": { + "inode": "f026407b-090a-4c15-99b5-09851842d96d", + "name": "INTERNAL CREDIT CARD NUMBERS.docx", + "owner": "Alan Smithee" + }, + "host": { + "id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655" }, - "tags": [ - "preserve_original_event" - ], "o365": { "audit": { - "RecordType": "11", - "ObjectId": "f026407b-090a-4c15-99b5-09851842d96d", - "Version": "1", - "UserId": "DlpPolicyEventBasedAssistantOneDriveForBusiness", - "UserKey": "DlpPolicyEventBasedAssistantOneDriveForBusiness", "CreationTime": "2020-02-26T10:13:48", - "SharePointMetaData": { - "From": "ASR@TESTSIEM2.ONMICROSOFT.COM", - "SiteCollectionGuid": "eae3edad-a192-43a9-b317-98d7ea5e3939", - "SiteCollectionUrl": "https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com", - "ItemCreationTime": "2020-02-26T09:44:40", - "ItemLastModifiedTime": "2020-02-26T09:46:23" - }, + "IncidentId": "f7295114-e601-f2b6-8800-08d7baa56f8b", + "ObjectId": "f026407b-090a-4c15-99b5-09851842d96d", "PolicyDetails": [ { + "PolicyId": "08745d02-5d45-48bd-98e1-8199ab1efdbe", + "PolicyName": "Financial Data Detection", "Rules": [ { "ActionParameters": [ @@ -485,8 +489,6 @@ "NotifyUser", "GenerateIncidentReport" ], - "RuleId": "bc4d376f-b038-4695-9362-609d32f963cf", - "RuleMode": "Enable", "ConditionsMatched": { "SensitiveInformation": [ { @@ -501,95 +503,94 @@ } ] }, - "Severity": "High", - "RuleName": "High volume of content detected France Financial" + "RuleId": "bc4d376f-b038-4695-9362-609d32f963cf", + "RuleMode": "Enable", + "RuleName": "High volume of content detected France Financial", + "Severity": "High" } - ], - "PolicyId": "08745d02-5d45-48bd-98e1-8199ab1efdbe", - "PolicyName": "Financial Data Detection" + ] } ], + "RecordType": "11", + "SensitiveInfoDetectionIsIncluded": false, + "SharePointMetaData": { + "From": "ASR@TESTSIEM2.ONMICROSOFT.COM", + "ItemCreationTime": "2020-02-26T09:44:40", + "ItemLastModifiedTime": "2020-02-26T09:46:23", + "SiteCollectionGuid": "eae3edad-a192-43a9-b317-98d7ea5e3939", + "SiteCollectionUrl": "https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com" + }, + "UserId": "DlpPolicyEventBasedAssistantOneDriveForBusiness", + "UserKey": "DlpPolicyEventBasedAssistantOneDriveForBusiness", "UserType": "4", - "IncidentId": "f7295114-e601-f2b6-8800-08d7baa56f8b", - "SensitiveInfoDetectionIsIncluded": false + "Version": "1" } }, - "@timestamp": "2020-02-26T10:13:48.000Z", - "file": { - "inode": "f026407b-090a-4c15-99b5-09851842d96d", - "owner": "Alan Smithee", - "name": "INTERNAL CREDIT CARD NUMBERS.docx" - }, - "ecs": { - "version": "8.0.0" + "organization": { + "id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655" }, "related": { "user": [ "Alan Smithee" ] }, - "organization": { - "id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655" - }, - "host": { - "id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655" - }, - "event": { - "severity": 4, - "ingested": "2022-01-02T03:49:49.578348781Z", - "original": "{\"CreationTime\":\"2020-02-26T10:13:48\",\"Id\":\"d69c6758-f210-43bd-bac1-563adef4b4cf\",\"IncidentId\":\"f7295114-e601-f2b6-8800-08d7baa56f8b\",\"ObjectId\":\"f026407b-090a-4c15-99b5-09851842d96d\",\"Operation\":\"DLPRuleMatch\",\"OrganizationId\":\"0e1dddce-163e-4b0b-9e33-87ba56ac4655\",\"PolicyDetails\":[{\"PolicyId\":\"08745d02-5d45-48bd-98e1-8199ab1efdbe\",\"PolicyName\":\"Financial Data Detection\",\"Rules\":[{\"ActionParameters\":[\"GenerateIncidentReport:SiteAdmin\"],\"Actions\":[\"BlockAccess\",\"NotifyUser\",\"GenerateIncidentReport\"],\"ConditionsMatched\":{\"SensitiveInformation\":[{\"Confidence\":85,\"Count\":42,\"SensitiveType\":\"50842eb7-edc8-4019-85dd-5a5c1f2bb085\"},{\"Confidence\":85,\"Count\":23,\"SensitiveType\":\"0e9b3178-9678-47dd-a509-37222ca96b42\"}]},\"RuleId\":\"bc4d376f-b038-4695-9362-609d32f963cf\",\"RuleMode\":\"Enable\",\"RuleName\":\"High volume of content detected France Financial\",\"Severity\":\"High\"}]}],\"RecordType\":11,\"SensitiveInfoDetectionIsIncluded\":false,\"SharePointMetaData\":{\"FileName\":\"INTERNAL CREDIT CARD NUMBERS.docx\",\"FileOwner\":\"Alan Smithee\",\"FilePathUrl\":\"https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com/Documents/INTERNAL%20CREDIT%20CARD%20NUMBERS.docx\",\"From\":\"ASR@TESTSIEM2.ONMICROSOFT.COM\",\"ItemCreationTime\":\"2020-02-26T09:44:40\",\"ItemLastModifiedTime\":\"2020-02-26T09:46:23\",\"SiteCollectionGuid\":\"eae3edad-a192-43a9-b317-98d7ea5e3939\",\"SiteCollectionUrl\":\"https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com\",\"UniqueID\":\"f026407b-090a-4c15-99b5-09851842d96d\"},\"UserId\":\"DlpPolicyEventBasedAssistantOneDriveForBusiness\",\"UserKey\":\"DlpPolicyEventBasedAssistantOneDriveForBusiness\",\"UserType\":4,\"Version\":1,\"Workload\":\"OneDrive\"}", - "code": "ComplianceDLPSharePoint", - "provider": "OneDrive", - "kind": "alert", - "action": "DLPRuleMatch", - "id": "d69c6758-f210-43bd-bac1-563adef4b4cf", - "type": [ - "info", - "access" - ], - "category": [ - "web", - "file" + "rule": { + "id": [ + "bc4d376f-b038-4695-9362-609d32f963cf" ], - "outcome": "failure" + "name": [ + "High volume of content detected France Financial" + ] + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "original": "https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com/Documents/INTERNAL%20CREDIT%20CARD%20NUMBERS.docx" }, "user": { "id": "DlpPolicyEventBasedAssistantOneDriveForBusiness" } }, { - "rule": { - "name": [ - "Low volume of content detected France Financial" + "@timestamp": "2020-02-26T12:39:40.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "DLPRuleMatch", + "category": [ + "web", + "file" ], - "id": [ - "121c85c3-b2b2-4d5b-af11-b1d1bc0b36fd" + "code": "ComplianceDLPSharePoint", + "id": "93585ace-96eb-4af1-fdb2-08d7bab8f2bd", + "kind": "alert", + "original": "{\"CreationTime\":\"2020-02-26T12:39:40\",\"Id\":\"93585ace-96eb-4af1-fdb2-08d7bab8f2bd\",\"IncidentId\":\"0ae82be2-e321-ab52-d000-08d7bab8fe55\",\"Operation\":\"DLPRuleMatch\",\"OrganizationId\":\"0e1dddce-163e-4b0b-9e33-87ba56ac4655\",\"PolicyDetails\":[{\"PolicyId\":\"08745d02-5d45-48bd-98e1-8199ab1efdbe\",\"PolicyName\":\"Financial Data Detection\",\"Rules\":[{\"ActionParameters\":[\"GenerateAlert:asr@testsiem2.onmicrosoft.com\"],\"Actions\":[\"NotifyUser\",\"GenerateAlert\"],\"ConditionsMatched\":{\"SensitiveInformation\":[{\"Confidence\":85,\"Count\":42,\"SensitiveType\":\"50842eb7-edc8-4019-85dd-5a5c1f2bb085\"},{\"Confidence\":85,\"Count\":2,\"SensitiveType\":\"0e9b3178-9678-47dd-a509-37222ca96b42\"}]},\"RuleId\":\"121c85c3-b2b2-4d5b-af11-b1d1bc0b36fd\",\"RuleMode\":\"Enable\",\"RuleName\":\"Low volume of content detected France Financial\",\"Severity\":\"High\"}]}],\"RecordType\":11,\"SensitiveInfoDetectionIsIncluded\":false,\"SharePointMetaData\":{\"FileName\":\"Document.docx\",\"FileOwner\":\"alice@testsiem2.onmicrosoft.com\",\"FilePathUrl\":\"https://testsiem2.sharepoint.com/sites/Internalcommunications/Shared%20Documents/Document.docx\",\"FileSize\":35920,\"From\":\"alice@testsiem2.onmicrosoft.com\",\"IsViewableByExternalUsers\":false,\"ItemCreationTime\":\"2020-02-26T09:55:38\",\"ItemLastModifiedTime\":\"2020-02-26T09:56:12\",\"SiteCollectionGuid\":\"4aaa3319-df17-4ea0-a142-42cf204cfc62\",\"SiteCollectionUrl\":\"https://testsiem2.sharepoint.com/sites/Internalcommunications\",\"UniqueID\":\"3ace820e-9358-4520-9df6-5bd65602cef0\"},\"UserId\":\"DLPAgent\",\"UserKey\":\"DLPAgent\",\"UserType\":4,\"Version\":1,\"Workload\":\"SharePoint\"}", + "outcome": "success", + "provider": "SharePoint", + "severity": 4, + "type": [ + "info", + "access" ] }, - "url": { - "original": "https://testsiem2.sharepoint.com/sites/Internalcommunications/Shared%20Documents/Document.docx" + "file": { + "inode": "3ace820e-9358-4520-9df6-5bd65602cef0", + "name": "Document.docx", + "owner": "alice@testsiem2.onmicrosoft.com" + }, + "host": { + "id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655" }, - "tags": [ - "preserve_original_event" - ], "o365": { "audit": { - "RecordType": "11", - "Version": "1", - "UserId": "DLPAgent", - "UserKey": "DLPAgent", "CreationTime": "2020-02-26T12:39:40", - "SharePointMetaData": { - "SiteCollectionGuid": "4aaa3319-df17-4ea0-a142-42cf204cfc62", - "SiteCollectionUrl": "https://testsiem2.sharepoint.com/sites/Internalcommunications", - "IsViewableByExternalUsers": false, - "From": "alice@testsiem2.onmicrosoft.com", - "ItemCreationTime": "2020-02-26T09:55:38", - "FileSize": 35920, - "ItemLastModifiedTime": "2020-02-26T09:56:12" - }, + "IncidentId": "0ae82be2-e321-ab52-d000-08d7bab8fe55", "PolicyDetails": [ { + "PolicyId": "08745d02-5d45-48bd-98e1-8199ab1efdbe", + "PolicyName": "Financial Data Detection", "Rules": [ { "ActionParameters": [ @@ -599,8 +600,6 @@ "NotifyUser", "GenerateAlert" ], - "RuleId": "121c85c3-b2b2-4d5b-af11-b1d1bc0b36fd", - "RuleMode": "Enable", "ConditionsMatched": { "SensitiveInformation": [ { @@ -615,95 +614,96 @@ } ] }, - "Severity": "High", - "RuleName": "Low volume of content detected France Financial" + "RuleId": "121c85c3-b2b2-4d5b-af11-b1d1bc0b36fd", + "RuleMode": "Enable", + "RuleName": "Low volume of content detected France Financial", + "Severity": "High" } - ], - "PolicyId": "08745d02-5d45-48bd-98e1-8199ab1efdbe", - "PolicyName": "Financial Data Detection" + ] } ], + "RecordType": "11", + "SensitiveInfoDetectionIsIncluded": false, + "SharePointMetaData": { + "FileSize": 35920, + "From": "alice@testsiem2.onmicrosoft.com", + "IsViewableByExternalUsers": false, + "ItemCreationTime": "2020-02-26T09:55:38", + "ItemLastModifiedTime": "2020-02-26T09:56:12", + "SiteCollectionGuid": "4aaa3319-df17-4ea0-a142-42cf204cfc62", + "SiteCollectionUrl": "https://testsiem2.sharepoint.com/sites/Internalcommunications" + }, + "UserId": "DLPAgent", + "UserKey": "DLPAgent", "UserType": "4", - "IncidentId": "0ae82be2-e321-ab52-d000-08d7bab8fe55", - "SensitiveInfoDetectionIsIncluded": false + "Version": "1" } }, - "@timestamp": "2020-02-26T12:39:40.000Z", - "file": { - "inode": "3ace820e-9358-4520-9df6-5bd65602cef0", - "owner": "alice@testsiem2.onmicrosoft.com", - "name": "Document.docx" - }, - "ecs": { - "version": "8.0.0" + "organization": { + "id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655" }, "related": { "user": [ "alice@testsiem2.onmicrosoft.com" ] }, - "organization": { - "id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655" - }, - "host": { - "id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655" - }, - "event": { - "severity": 4, - "ingested": "2022-01-02T03:49:49.578349812Z", - "original": "{\"CreationTime\":\"2020-02-26T12:39:40\",\"Id\":\"93585ace-96eb-4af1-fdb2-08d7bab8f2bd\",\"IncidentId\":\"0ae82be2-e321-ab52-d000-08d7bab8fe55\",\"Operation\":\"DLPRuleMatch\",\"OrganizationId\":\"0e1dddce-163e-4b0b-9e33-87ba56ac4655\",\"PolicyDetails\":[{\"PolicyId\":\"08745d02-5d45-48bd-98e1-8199ab1efdbe\",\"PolicyName\":\"Financial Data Detection\",\"Rules\":[{\"ActionParameters\":[\"GenerateAlert:asr@testsiem2.onmicrosoft.com\"],\"Actions\":[\"NotifyUser\",\"GenerateAlert\"],\"ConditionsMatched\":{\"SensitiveInformation\":[{\"Confidence\":85,\"Count\":42,\"SensitiveType\":\"50842eb7-edc8-4019-85dd-5a5c1f2bb085\"},{\"Confidence\":85,\"Count\":2,\"SensitiveType\":\"0e9b3178-9678-47dd-a509-37222ca96b42\"}]},\"RuleId\":\"121c85c3-b2b2-4d5b-af11-b1d1bc0b36fd\",\"RuleMode\":\"Enable\",\"RuleName\":\"Low volume of content detected France Financial\",\"Severity\":\"High\"}]}],\"RecordType\":11,\"SensitiveInfoDetectionIsIncluded\":false,\"SharePointMetaData\":{\"FileName\":\"Document.docx\",\"FileOwner\":\"alice@testsiem2.onmicrosoft.com\",\"FilePathUrl\":\"https://testsiem2.sharepoint.com/sites/Internalcommunications/Shared%20Documents/Document.docx\",\"FileSize\":35920,\"From\":\"alice@testsiem2.onmicrosoft.com\",\"IsViewableByExternalUsers\":false,\"ItemCreationTime\":\"2020-02-26T09:55:38\",\"ItemLastModifiedTime\":\"2020-02-26T09:56:12\",\"SiteCollectionGuid\":\"4aaa3319-df17-4ea0-a142-42cf204cfc62\",\"SiteCollectionUrl\":\"https://testsiem2.sharepoint.com/sites/Internalcommunications\",\"UniqueID\":\"3ace820e-9358-4520-9df6-5bd65602cef0\"},\"UserId\":\"DLPAgent\",\"UserKey\":\"DLPAgent\",\"UserType\":4,\"Version\":1,\"Workload\":\"SharePoint\"}", - "code": "ComplianceDLPSharePoint", - "provider": "SharePoint", - "kind": "alert", - "action": "DLPRuleMatch", - "id": "93585ace-96eb-4af1-fdb2-08d7bab8f2bd", - "type": [ - "info", - "access" - ], - "category": [ - "web", - "file" + "rule": { + "id": [ + "121c85c3-b2b2-4d5b-af11-b1d1bc0b36fd" ], - "outcome": "success" + "name": [ + "Low volume of content detected France Financial" + ] + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "original": "https://testsiem2.sharepoint.com/sites/Internalcommunications/Shared%20Documents/Document.docx" }, "user": { "id": "DLPAgent" } }, { - "rule": { - "name": [ - "Low volume of content detected France Financial" + "@timestamp": "2020-02-26T12:39:40.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "DLPRuleMatch", + "category": [ + "web", + "file" ], - "id": [ - "121c85c3-b2b2-4d5b-af11-b1d1bc0b36fd" + "code": "ComplianceDLPSharePoint", + "id": "93585ace-96eb-4af1-fdb2-08d7bab8f2bd", + "kind": "alert", + "original": "{\"CreationTime\":\"2020-02-26T12:39:40\",\"Id\":\"93585ace-96eb-4af1-fdb2-08d7bab8f2bd\",\"IncidentId\":\"0ae82be2-e321-ab52-d000-08d7bab8fe55\",\"Operation\":\"DLPRuleMatch\",\"OrganizationId\":\"0e1dddce-163e-4b0b-9e33-87ba56ac4655\",\"PolicyDetails\":[{\"PolicyId\":\"08745d02-5d45-48bd-98e1-8199ab1efdbe\",\"PolicyName\":\"Financial Data Detection\",\"Rules\":[{\"ActionParameters\":[\"GenerateAlert:asr@testsiem2.onmicrosoft.com\"],\"Actions\":[\"NotifyUser\",\"GenerateAlert\"],\"ConditionsMatched\":{\"SensitiveInformation\":[{\"Confidence\":85,\"Count\":42,\"SensitiveType\":\"50842eb7-edc8-4019-85dd-5a5c1f2bb085\"},{\"Confidence\":85,\"Count\":2,\"SensitiveType\":\"0e9b3178-9678-47dd-a509-37222ca96b42\"}]},\"RuleId\":\"121c85c3-b2b2-4d5b-af11-b1d1bc0b36fd\",\"RuleMode\":\"Enable\",\"RuleName\":\"Low volume of content detected France Financial\",\"Severity\":\"High\"}]}],\"RecordType\":11,\"SensitiveInfoDetectionIsIncluded\":false,\"SharePointMetaData\":{\"FileName\":\"Document.docx\",\"FileOwner\":\"alice@testsiem2.onmicrosoft.com\",\"FilePathUrl\":\"https://testsiem2.sharepoint.com/sites/Internalcommunications/Shared%20Documents/Document.docx\",\"FileSize\":35920,\"From\":\"alice@testsiem2.onmicrosoft.com\",\"IsViewableByExternalUsers\":false,\"ItemCreationTime\":\"2020-02-26T09:55:38\",\"ItemLastModifiedTime\":\"2020-02-26T09:56:12\",\"SiteCollectionGuid\":\"4aaa3319-df17-4ea0-a142-42cf204cfc62\",\"SiteCollectionUrl\":\"https://testsiem2.sharepoint.com/sites/Internalcommunications\",\"UniqueID\":\"3ace820e-9358-4520-9df6-5bd65602cef0\"},\"UserId\":\"DLPAgent\",\"UserKey\":\"DLPAgent\",\"UserType\":4,\"Version\":1,\"Workload\":\"SharePoint\"}", + "outcome": "success", + "provider": "SharePoint", + "severity": 4, + "type": [ + "info", + "access" ] }, - "url": { - "original": "https://testsiem2.sharepoint.com/sites/Internalcommunications/Shared%20Documents/Document.docx" + "file": { + "inode": "3ace820e-9358-4520-9df6-5bd65602cef0", + "name": "Document.docx", + "owner": "alice@testsiem2.onmicrosoft.com" + }, + "host": { + "id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655" }, - "tags": [ - "preserve_original_event" - ], "o365": { "audit": { - "RecordType": "11", - "Version": "1", - "UserId": "DLPAgent", - "UserKey": "DLPAgent", "CreationTime": "2020-02-26T12:39:40", - "SharePointMetaData": { - "SiteCollectionGuid": "4aaa3319-df17-4ea0-a142-42cf204cfc62", - "SiteCollectionUrl": "https://testsiem2.sharepoint.com/sites/Internalcommunications", - "IsViewableByExternalUsers": false, - "From": "alice@testsiem2.onmicrosoft.com", - "ItemCreationTime": "2020-02-26T09:55:38", - "FileSize": 35920, - "ItemLastModifiedTime": "2020-02-26T09:56:12" - }, + "IncidentId": "0ae82be2-e321-ab52-d000-08d7bab8fe55", "PolicyDetails": [ { + "PolicyId": "08745d02-5d45-48bd-98e1-8199ab1efdbe", + "PolicyName": "Financial Data Detection", "Rules": [ { "ActionParameters": [ @@ -713,8 +713,6 @@ "NotifyUser", "GenerateAlert" ], - "RuleId": "121c85c3-b2b2-4d5b-af11-b1d1bc0b36fd", - "RuleMode": "Enable", "ConditionsMatched": { "SensitiveInformation": [ { @@ -729,57 +727,52 @@ } ] }, - "Severity": "High", - "RuleName": "Low volume of content detected France Financial" + "RuleId": "121c85c3-b2b2-4d5b-af11-b1d1bc0b36fd", + "RuleMode": "Enable", + "RuleName": "Low volume of content detected France Financial", + "Severity": "High" } - ], - "PolicyId": "08745d02-5d45-48bd-98e1-8199ab1efdbe", - "PolicyName": "Financial Data Detection" + ] } ], + "RecordType": "11", + "SensitiveInfoDetectionIsIncluded": false, + "SharePointMetaData": { + "FileSize": 35920, + "From": "alice@testsiem2.onmicrosoft.com", + "IsViewableByExternalUsers": false, + "ItemCreationTime": "2020-02-26T09:55:38", + "ItemLastModifiedTime": "2020-02-26T09:56:12", + "SiteCollectionGuid": "4aaa3319-df17-4ea0-a142-42cf204cfc62", + "SiteCollectionUrl": "https://testsiem2.sharepoint.com/sites/Internalcommunications" + }, + "UserId": "DLPAgent", + "UserKey": "DLPAgent", "UserType": "4", - "IncidentId": "0ae82be2-e321-ab52-d000-08d7bab8fe55", - "SensitiveInfoDetectionIsIncluded": false + "Version": "1" } }, - "@timestamp": "2020-02-26T12:39:40.000Z", - "file": { - "inode": "3ace820e-9358-4520-9df6-5bd65602cef0", - "owner": "alice@testsiem2.onmicrosoft.com", - "name": "Document.docx" - }, - "ecs": { - "version": "8.0.0" + "organization": { + "id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655" }, "related": { "user": [ "alice@testsiem2.onmicrosoft.com" ] }, - "organization": { - "id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655" - }, - "host": { - "id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655" - }, - "event": { - "severity": 4, - "ingested": "2022-01-02T03:49:49.578350846Z", - "original": "{\"CreationTime\":\"2020-02-26T12:39:40\",\"Id\":\"93585ace-96eb-4af1-fdb2-08d7bab8f2bd\",\"IncidentId\":\"0ae82be2-e321-ab52-d000-08d7bab8fe55\",\"Operation\":\"DLPRuleMatch\",\"OrganizationId\":\"0e1dddce-163e-4b0b-9e33-87ba56ac4655\",\"PolicyDetails\":[{\"PolicyId\":\"08745d02-5d45-48bd-98e1-8199ab1efdbe\",\"PolicyName\":\"Financial Data Detection\",\"Rules\":[{\"ActionParameters\":[\"GenerateAlert:asr@testsiem2.onmicrosoft.com\"],\"Actions\":[\"NotifyUser\",\"GenerateAlert\"],\"ConditionsMatched\":{\"SensitiveInformation\":[{\"Confidence\":85,\"Count\":42,\"SensitiveType\":\"50842eb7-edc8-4019-85dd-5a5c1f2bb085\"},{\"Confidence\":85,\"Count\":2,\"SensitiveType\":\"0e9b3178-9678-47dd-a509-37222ca96b42\"}]},\"RuleId\":\"121c85c3-b2b2-4d5b-af11-b1d1bc0b36fd\",\"RuleMode\":\"Enable\",\"RuleName\":\"Low volume of content detected France Financial\",\"Severity\":\"High\"}]}],\"RecordType\":11,\"SensitiveInfoDetectionIsIncluded\":false,\"SharePointMetaData\":{\"FileName\":\"Document.docx\",\"FileOwner\":\"alice@testsiem2.onmicrosoft.com\",\"FilePathUrl\":\"https://testsiem2.sharepoint.com/sites/Internalcommunications/Shared%20Documents/Document.docx\",\"FileSize\":35920,\"From\":\"alice@testsiem2.onmicrosoft.com\",\"IsViewableByExternalUsers\":false,\"ItemCreationTime\":\"2020-02-26T09:55:38\",\"ItemLastModifiedTime\":\"2020-02-26T09:56:12\",\"SiteCollectionGuid\":\"4aaa3319-df17-4ea0-a142-42cf204cfc62\",\"SiteCollectionUrl\":\"https://testsiem2.sharepoint.com/sites/Internalcommunications\",\"UniqueID\":\"3ace820e-9358-4520-9df6-5bd65602cef0\"},\"UserId\":\"DLPAgent\",\"UserKey\":\"DLPAgent\",\"UserType\":4,\"Version\":1,\"Workload\":\"SharePoint\"}", - "code": "ComplianceDLPSharePoint", - "provider": "SharePoint", - "kind": "alert", - "action": "DLPRuleMatch", - "id": "93585ace-96eb-4af1-fdb2-08d7bab8f2bd", - "type": [ - "info", - "access" - ], - "category": [ - "web", - "file" + "rule": { + "id": [ + "121c85c3-b2b2-4d5b-af11-b1d1bc0b36fd" ], - "outcome": "success" + "name": [ + "Low volume of content detected France Financial" + ] + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "original": "https://testsiem2.sharepoint.com/sites/Internalcommunications/Shared%20Documents/Document.docx" }, "user": { "id": "DLPAgent" diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-exchange-admin-events.json-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-exchange-admin-events.json-expected.json index 22cef25c887..db354444121 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-exchange-admin-events.json-expected.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-exchange-admin-events.json-expected.json @@ -1,7709 +1,7609 @@ { "expected": [ { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", - "ip": "67.43.156.13" - }, + "@timestamp": "2020-02-07T20:49:49.000Z", "destination": { "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Set-Mailbox", + "category": [ + "web" + ], + "code": "ExchangeAdmin", + "id": "1c7412a6-858d-49ff-3f93-08d7ac0f45bf", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:49\",\"ExternalAccess\":true,\"Id\":\"1c7412a6-858d-49ff-3f93-08d7ac0f45bf\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-07T20:49:49", + "ExternalAccess": true, + "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}", "Parameters": { "DomainController": "", "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}" }, - "AppId": "", "RecordType": "1", - "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-07T20:49:49", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-07T20:49:49.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "event": { - "ingested": "2022-01-02T03:49:51.470269751Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:49\",\"ExternalAccess\":true,\"Id\":\"1c7412a6-858d-49ff-3f93-08d7ac0f45bf\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", - "action": "Set-Mailbox", - "id": "1c7412a6-858d-49ff-3f93-08d7ac0f45bf", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" } }, { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", - "ip": "67.43.156.13" - }, + "@timestamp": "2020-02-10T07:37:14.000Z", "destination": { "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Set-Mailbox", + "category": [ + "web" + ], + "code": "ExchangeAdmin", + "id": "6c3454e1-1a13-411b-bed1-08d7adfc0c09", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:14\",\"ExternalAccess\":true,\"Id\":\"6c3454e1-1a13-411b-bed1-08d7adfc0c09\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-10T07:37:14", + "ExternalAccess": true, + "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}", "Parameters": { "Arbitration": "True", - "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "Force": "True", - "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", - "SCLQuarantineEnabled": "False", - "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", "HiddenFromAddressListsEnabled": "True", - "UseDatabaseQuotaDefaults": "False", + "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}", + "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "QuarantineMessageStore": "True", "RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", "SCLDeleteEnabled": "False", - "QuarantineMessageStore": "True", - "SCLRejectEnabled": "False", "SCLJunkEnabled": "False", - "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}" + "SCLQuarantineEnabled": "False", + "SCLRejectEnabled": "False", + "UseDatabaseQuotaDefaults": "False" }, - "AppId": "", "RecordType": "1", - "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-10T07:37:14", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-10T07:37:14.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "event": { - "ingested": "2022-01-02T03:49:51.470272483Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:14\",\"ExternalAccess\":true,\"Id\":\"6c3454e1-1a13-411b-bed1-08d7adfc0c09\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", - "action": "Set-Mailbox", - "id": "6c3454e1-1a13-411b-bed1-08d7adfc0c09", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" } }, { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", - "ip": "67.43.156.13" - }, + "@timestamp": "2020-02-07T20:49:03.000Z", "destination": { "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Set-Mailbox", + "category": [ + "web" + ], + "code": "ExchangeAdmin", + "id": "b5131b23-3efb-481a-c05b-08d7ac0f2a82", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:03\",\"ExternalAccess\":true,\"Id\":\"b5131b23-3efb-481a-c05b-08d7ac0f2a82\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-07T20:49:03", + "ExternalAccess": true, + "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}", "Parameters": { "Arbitration": "True", - "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "Force": "True", - "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", - "SCLQuarantineEnabled": "False", - "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", "HiddenFromAddressListsEnabled": "True", - "UseDatabaseQuotaDefaults": "False", + "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}", + "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "QuarantineMessageStore": "True", "RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", "SCLDeleteEnabled": "False", - "QuarantineMessageStore": "True", - "SCLRejectEnabled": "False", "SCLJunkEnabled": "False", - "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}" + "SCLQuarantineEnabled": "False", + "SCLRejectEnabled": "False", + "UseDatabaseQuotaDefaults": "False" }, - "AppId": "", "RecordType": "1", - "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-07T20:49:03", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-07T20:49:03.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "event": { - "ingested": "2022-01-02T03:49:51.470273679Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:03\",\"ExternalAccess\":true,\"Id\":\"b5131b23-3efb-481a-c05b-08d7ac0f2a82\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", - "action": "Set-Mailbox", - "id": "b5131b23-3efb-481a-c05b-08d7ac0f2a82", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" } }, { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", - "ip": "67.43.156.13" - }, + "@timestamp": "2020-02-10T07:37:09.000Z", "destination": { "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Install-DefaultSharingPolicy", + "category": [ + "web" + ], + "code": "ExchangeAdmin", + "id": "ef597809-1c52-4a85-7cce-08d7adfc0939", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:09\",\"ExternalAccess\":true,\"Id\":\"ef597809-1c52-4a85-7cce-08d7adfc0939\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\2c6709f0-beaf-4ffd-99ea-d02c796c25d3\",\"Operation\":\"Install-DefaultSharingPolicy\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Organization\",\"Value\":\"testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-10T07:37:09", + "ExternalAccess": true, + "ObjectId": "testsiem.onmicrosoft.com\\2c6709f0-beaf-4ffd-99ea-d02c796c25d3", "Parameters": { "DomainController": "", "Organization": "testsiem.onmicrosoft.com" }, - "AppId": "", "RecordType": "1", - "ObjectId": "testsiem.onmicrosoft.com\\2c6709f0-beaf-4ffd-99ea-d02c796c25d3", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-10T07:37:09", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-10T07:37:09.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "event": { - "ingested": "2022-01-02T03:49:51.470274680Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:09\",\"ExternalAccess\":true,\"Id\":\"ef597809-1c52-4a85-7cce-08d7adfc0939\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\2c6709f0-beaf-4ffd-99ea-d02c796c25d3\",\"Operation\":\"Install-DefaultSharingPolicy\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Organization\",\"Value\":\"testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", - "action": "Install-DefaultSharingPolicy", - "id": "ef597809-1c52-4a85-7cce-08d7adfc0939", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" } }, { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", - "ip": "67.43.156.13" - }, + "@timestamp": "2020-02-10T07:37:09.000Z", "destination": { "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Install-AdminAuditLogConfig", + "category": [ + "web" + ], + "code": "ExchangeAdmin", + "id": "362ff802-6df6-47e5-09a2-08d7adfc095b", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:09\",\"ExternalAccess\":true,\"Id\":\"362ff802-6df6-47e5-09a2-08d7adfc095b\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Admin Audit Log Settings\",\"Operation\":\"Install-AdminAuditLogConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Organization\",\"Value\":\"testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-10T07:37:09", + "ExternalAccess": true, + "ObjectId": "testsiem.onmicrosoft.com\\Admin Audit Log Settings", "Parameters": { "DomainController": "", "Organization": "testsiem.onmicrosoft.com" }, - "AppId": "", "RecordType": "1", - "ObjectId": "testsiem.onmicrosoft.com\\Admin Audit Log Settings", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-10T07:37:09", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-10T07:37:09.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "event": { - "ingested": "2022-01-02T03:49:51.470275544Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:09\",\"ExternalAccess\":true,\"Id\":\"362ff802-6df6-47e5-09a2-08d7adfc095b\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Admin Audit Log Settings\",\"Operation\":\"Install-AdminAuditLogConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Organization\",\"Value\":\"testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", - "action": "Install-AdminAuditLogConfig", - "id": "362ff802-6df6-47e5-09a2-08d7adfc095b", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" } }, { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", - "ip": "67.43.156.13" - }, + "@timestamp": "2020-02-10T07:37:13.000Z", "destination": { "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Set-TransportConfig", + "category": [ + "web" + ], + "code": "ExchangeAdmin", + "id": "ea769bfc-fa67-465c-767a-08d7adfc0b7b", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:13\",\"ExternalAccess\":true,\"Id\":\"ea769bfc-fa67-465c-767a-08d7adfc0b7b\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Transport Settings\",\"Operation\":\"Set-TransportConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"testsiem.onmicrosoft.com\"},{\"Name\":\"OrganizationFederatedMailbox\",\"Value\":\"FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042@testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-10T07:37:13", + "ExternalAccess": true, + "ObjectId": "testsiem.onmicrosoft.com\\Transport Settings", "Parameters": { "DomainController": "", "Identity": "testsiem.onmicrosoft.com", "OrganizationFederatedMailbox": "FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042@testsiem.onmicrosoft.com" }, - "AppId": "", "RecordType": "1", - "ObjectId": "testsiem.onmicrosoft.com\\Transport Settings", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-10T07:37:13", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-10T07:37:13.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "event": { - "ingested": "2022-01-02T03:49:51.470276407Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:13\",\"ExternalAccess\":true,\"Id\":\"ea769bfc-fa67-465c-767a-08d7adfc0b7b\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Transport Settings\",\"Operation\":\"Set-TransportConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"testsiem.onmicrosoft.com\"},{\"Name\":\"OrganizationFederatedMailbox\",\"Value\":\"FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042@testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", - "action": "Set-TransportConfig", - "id": "ea769bfc-fa67-465c-767a-08d7adfc0b7b", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, - "user": { - "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" - } - }, - { "server": { "address": "67.43.156.13", "domain": "HE1PR0102MB3228", "ip": "67.43.156.13" }, - "destination": { - "ip": "67.43.156.13" - }, "tags": [ "preserve_original_event" ], - "o365": { - "audit": { - "Parameters": { - "UMDataStorage": "True", - "Arbitration": "True", - "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}", - "Force": "True" - }, - "AppId": "", - "RecordType": "1", - "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}", - "ResultStatus": "True", - "Version": "1", - "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-07T20:48:43", - "UserType": "3" - } - }, + "user": { + "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + } + }, + { "@timestamp": "2020-02-07T20:48:43.000Z", + "destination": { + "ip": "67.43.156.13" + }, "ecs": { "version": "8.0.0" }, - "related": { - "ip": [ - "67.43.156.13" - ] - }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, "event": { - "ingested": "2022-01-02T03:49:51.470277268Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:43\",\"ExternalAccess\":true,\"Id\":\"168019d2-1e8a-4394-e90b-08d7ac0f1e69\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}\"},{\"Name\":\"UMDataStorage\",\"Value\":\"True\"},{\"Name\":\"Force\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", "action": "Set-Mailbox", - "id": "168019d2-1e8a-4394-e90b-08d7ac0f1e69", - "type": [ - "info" - ], "category": [ "web" ], - "outcome": "success" - }, - "user": { - "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" - } - }, - { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", - "ip": "67.43.156.13" + "code": "ExchangeAdmin", + "id": "168019d2-1e8a-4394-e90b-08d7ac0f1e69", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:43\",\"ExternalAccess\":true,\"Id\":\"168019d2-1e8a-4394-e90b-08d7ac0f1e69\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}\"},{\"Name\":\"UMDataStorage\",\"Value\":\"True\"},{\"Name\":\"Force\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] }, - "destination": { - "ip": "67.43.156.13" + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, - "tags": [ - "preserve_original_event" - ], "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-07T20:48:43", + "ExternalAccess": true, + "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}", "Parameters": { - "Identity": "testsiem.onmicrosoft.com\\OwaMailboxPolicy-Default", - "InstantMessagingType": "Ocs" + "Arbitration": "True", + "Force": "True", + "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}", + "UMDataStorage": "True" }, - "AppId": "", "RecordType": "1", - "ObjectId": "testsiem.onmicrosoft.com\\OwaMailboxPolicy-Default", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-07T20:49:34", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-07T20:49:34.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "event": { - "ingested": "2022-01-02T03:49:51.470278121Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:34\",\"ExternalAccess\":true,\"Id\":\"0d7995da-038f-40d9-2765-08d7ac0f3d4d\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\OwaMailboxPolicy-Default\",\"Operation\":\"Set-OwaMailboxPolicy\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"InstantMessagingType\",\"Value\":\"Ocs\"},{\"Name\":\"Identity\",\"Value\":\"testsiem.onmicrosoft.com\\\\OwaMailboxPolicy-Default\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", - "action": "Set-OwaMailboxPolicy", - "id": "0d7995da-038f-40d9-2765-08d7ac0f3d4d", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" } }, { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", - "ip": "67.43.156.13" - }, + "@timestamp": "2020-02-07T20:49:34.000Z", "destination": { "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Set-OwaMailboxPolicy", + "category": [ + "web" + ], + "code": "ExchangeAdmin", + "id": "0d7995da-038f-40d9-2765-08d7ac0f3d4d", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:34\",\"ExternalAccess\":true,\"Id\":\"0d7995da-038f-40d9-2765-08d7ac0f3d4d\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\OwaMailboxPolicy-Default\",\"Operation\":\"Set-OwaMailboxPolicy\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"InstantMessagingType\",\"Value\":\"Ocs\"},{\"Name\":\"Identity\",\"Value\":\"testsiem.onmicrosoft.com\\\\OwaMailboxPolicy-Default\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-07T20:49:34", + "ExternalAccess": true, + "ObjectId": "testsiem.onmicrosoft.com\\OwaMailboxPolicy-Default", "Parameters": { - "Arbitration": "True", - "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", - "Force": "True", - "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", - "SCLQuarantineEnabled": "False", - "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", - "HiddenFromAddressListsEnabled": "True", - "UseDatabaseQuotaDefaults": "False", - "ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", - "RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", - "SCLDeleteEnabled": "False", - "QuarantineMessageStore": "True", - "SCLRejectEnabled": "False", - "SCLJunkEnabled": "False", - "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}" + "Identity": "testsiem.onmicrosoft.com\\OwaMailboxPolicy-Default", + "InstantMessagingType": "Ocs" }, - "AppId": "", "RecordType": "1", - "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-07T20:49:20", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-07T20:49:20.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "event": { - "ingested": "2022-01-02T03:49:51.470278990Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:20\",\"ExternalAccess\":true,\"Id\":\"b9f4dff2-c7f5-41eb-eae8-08d7ac0f3492\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", - "action": "Set-Mailbox", - "id": "b9f4dff2-c7f5-41eb-eae8-08d7ac0f3492", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" } }, { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", - "ip": "67.43.156.13" - }, + "@timestamp": "2020-02-07T20:49:20.000Z", "destination": { "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Set-Mailbox", + "category": [ + "web" + ], + "code": "ExchangeAdmin", + "id": "b9f4dff2-c7f5-41eb-eae8-08d7ac0f3492", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:20\",\"ExternalAccess\":true,\"Id\":\"b9f4dff2-c7f5-41eb-eae8-08d7ac0f3492\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-07T20:49:20", + "ExternalAccess": true, + "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}", "Parameters": { "Arbitration": "True", - "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "Force": "True", - "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", - "SCLQuarantineEnabled": "False", - "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", "HiddenFromAddressListsEnabled": "True", - "UseDatabaseQuotaDefaults": "False", + "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}", + "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "QuarantineMessageStore": "True", "RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", "SCLDeleteEnabled": "False", - "QuarantineMessageStore": "True", - "SCLRejectEnabled": "False", "SCLJunkEnabled": "False", - "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}" + "SCLQuarantineEnabled": "False", + "SCLRejectEnabled": "False", + "UseDatabaseQuotaDefaults": "False" }, - "AppId": "", "RecordType": "1", - "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-10T07:37:17", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-10T07:37:17.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "event": { - "ingested": "2022-01-02T03:49:51.470279851Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:17\",\"ExternalAccess\":true,\"Id\":\"2202ec45-7abc-49dd-e35e-08d7adfc0e15\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", - "action": "Set-Mailbox", - "id": "2202ec45-7abc-49dd-e35e-08d7adfc0e15", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" } }, { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", - "ip": "67.43.156.13" - }, + "@timestamp": "2020-02-10T07:37:17.000Z", "destination": { "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Set-Mailbox", + "category": [ + "web" + ], + "code": "ExchangeAdmin", + "id": "2202ec45-7abc-49dd-e35e-08d7adfc0e15", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:17\",\"ExternalAccess\":true,\"Id\":\"2202ec45-7abc-49dd-e35e-08d7adfc0e15\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-10T07:37:17", + "ExternalAccess": true, + "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}", "Parameters": { - "DomainController": "", - "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com", - "DoNotUpdateRecipients": "True" + "Arbitration": "True", + "Force": "True", + "HiddenFromAddressListsEnabled": "True", + "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}", + "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", + "ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "QuarantineMessageStore": "True", + "RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", + "SCLDeleteEnabled": "False", + "SCLJunkEnabled": "False", + "SCLQuarantineEnabled": "False", + "SCLRejectEnabled": "False", + "UseDatabaseQuotaDefaults": "False" }, - "AppId": "", "RecordType": "1", - "ObjectId": "testsiem.onmicrosoft.com", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-07T20:48:04", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-07T20:48:04.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "tags": [ + "preserve_original_event" + ], + "user": { + "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + } + }, + { + "@timestamp": "2020-02-07T20:48:04.000Z", + "destination": { + "ip": "67.43.156.13" + }, + "ecs": { + "version": "8.0.0" }, "event": { - "ingested": "2022-01-02T03:49:51.470280720Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:04\",\"ExternalAccess\":true,\"Id\":\"a0063917-bb25-4c17-fe2e-08d7ac0f0769\",\"ObjectId\":\"testsiem.onmicrosoft.com\",\"Operation\":\"Enable-AddressListPaging\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DoNotUpdateRecipients\",\"Value\":\"True\"},{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", "action": "Enable-AddressListPaging", - "id": "a0063917-bb25-4c17-fe2e-08d7ac0f0769", - "type": [ - "info" - ], "category": [ "web" ], - "outcome": "success" - }, - "user": { - "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" - } - }, - { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", - "ip": "67.43.156.13" + "code": "ExchangeAdmin", + "id": "a0063917-bb25-4c17-fe2e-08d7ac0f0769", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:04\",\"ExternalAccess\":true,\"Id\":\"a0063917-bb25-4c17-fe2e-08d7ac0f0769\",\"ObjectId\":\"testsiem.onmicrosoft.com\",\"Operation\":\"Enable-AddressListPaging\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DoNotUpdateRecipients\",\"Value\":\"True\"},{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] }, - "destination": { - "ip": "67.43.156.13" + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, - "tags": [ - "preserve_original_event" - ], "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-07T20:48:04", + "ExternalAccess": true, + "ObjectId": "testsiem.onmicrosoft.com", "Parameters": { - "Arbitration": "True", - "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", - "Force": "True", - "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", - "SCLQuarantineEnabled": "False", - "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", - "HiddenFromAddressListsEnabled": "True", - "UseDatabaseQuotaDefaults": "False", - "ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", - "RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", - "SCLDeleteEnabled": "False", - "QuarantineMessageStore": "True", - "SCLRejectEnabled": "False", - "SCLJunkEnabled": "False", - "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}" + "DoNotUpdateRecipients": "True", + "DomainController": "", + "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com" }, - "AppId": "", "RecordType": "1", - "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-07T20:48:58", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-07T20:48:58.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "event": { - "ingested": "2022-01-02T03:49:51.470281694Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:58\",\"ExternalAccess\":true,\"Id\":\"a324e83b-d1a3-4855-db2a-08d7ac0f277b\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", - "action": "Set-Mailbox", - "id": "a324e83b-d1a3-4855-db2a-08d7ac0f277b", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" } }, { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", - "ip": "67.43.156.13" - }, + "@timestamp": "2020-02-07T20:48:58.000Z", "destination": { "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Set-Mailbox", + "category": [ + "web" + ], + "code": "ExchangeAdmin", + "id": "a324e83b-d1a3-4855-db2a-08d7ac0f277b", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:58\",\"ExternalAccess\":true,\"Id\":\"a324e83b-d1a3-4855-db2a-08d7ac0f277b\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-07T20:48:58", + "ExternalAccess": true, + "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}", "Parameters": { "Arbitration": "True", - "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "Force": "True", - "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", - "SCLQuarantineEnabled": "False", - "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", "HiddenFromAddressListsEnabled": "True", - "UseDatabaseQuotaDefaults": "False", + "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}", + "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "QuarantineMessageStore": "True", "RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", "SCLDeleteEnabled": "False", - "QuarantineMessageStore": "True", - "SCLRejectEnabled": "False", "SCLJunkEnabled": "False", - "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}" + "SCLQuarantineEnabled": "False", + "SCLRejectEnabled": "False", + "UseDatabaseQuotaDefaults": "False" }, - "AppId": "", "RecordType": "1", - "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-10T07:37:15", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-10T07:37:15.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "event": { - "ingested": "2022-01-02T03:49:51.470282626Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:15\",\"ExternalAccess\":true,\"Id\":\"ebda487f-6177-432a-e91d-08d7adfc0d0d\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", - "action": "Set-Mailbox", - "id": "ebda487f-6177-432a-e91d-08d7adfc0d0d", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" } }, { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", - "ip": "67.43.156.13" - }, + "@timestamp": "2020-02-10T07:37:15.000Z", "destination": { "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Set-Mailbox", + "category": [ + "web" + ], + "code": "ExchangeAdmin", + "id": "ebda487f-6177-432a-e91d-08d7adfc0d0d", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:15\",\"ExternalAccess\":true,\"Id\":\"ebda487f-6177-432a-e91d-08d7adfc0d0d\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-10T07:37:15", + "ExternalAccess": true, + "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}", "Parameters": { "Arbitration": "True", - "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "Force": "True", - "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", - "SCLQuarantineEnabled": "False", - "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", "HiddenFromAddressListsEnabled": "True", - "UseDatabaseQuotaDefaults": "False", + "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}", + "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "QuarantineMessageStore": "True", "RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", "SCLDeleteEnabled": "False", - "QuarantineMessageStore": "True", - "SCLRejectEnabled": "False", "SCLJunkEnabled": "False", - "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}" + "SCLQuarantineEnabled": "False", + "SCLRejectEnabled": "False", + "UseDatabaseQuotaDefaults": "False" }, - "AppId": "", "RecordType": "1", - "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-07T20:49:09", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-07T20:49:09.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "event": { - "ingested": "2022-01-02T03:49:51.470283510Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:09\",\"ExternalAccess\":true,\"Id\":\"7dafe4a3-487a-46ec-dadc-08d7ac0f2e06\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", - "action": "Set-Mailbox", - "id": "7dafe4a3-487a-46ec-dadc-08d7ac0f2e06", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" } }, { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", - "ip": "67.43.156.13" - }, + "@timestamp": "2020-02-07T20:49:09.000Z", "destination": { "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], - "o365": { - "audit": { - "Parameters": { - "Arbitration": "True", - "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", - "Force": "True", - "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", - "SCLQuarantineEnabled": "False", - "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Set-Mailbox", + "category": [ + "web" + ], + "code": "ExchangeAdmin", + "id": "7dafe4a3-487a-46ec-dadc-08d7ac0f2e06", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:09\",\"ExternalAccess\":true,\"Id\":\"7dafe4a3-487a-46ec-dadc-08d7ac0f2e06\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, + "o365": { + "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-07T20:49:09", + "ExternalAccess": true, + "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}", + "Parameters": { + "Arbitration": "True", + "Force": "True", "HiddenFromAddressListsEnabled": "True", - "UseDatabaseQuotaDefaults": "False", + "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}", + "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "QuarantineMessageStore": "True", "RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", "SCLDeleteEnabled": "False", - "QuarantineMessageStore": "True", - "SCLRejectEnabled": "False", "SCLJunkEnabled": "False", - "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}" + "SCLQuarantineEnabled": "False", + "SCLRejectEnabled": "False", + "UseDatabaseQuotaDefaults": "False" }, - "AppId": "", "RecordType": "1", - "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-10T07:37:15", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-10T07:37:15.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "event": { - "ingested": "2022-01-02T03:49:51.470284479Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:15\",\"ExternalAccess\":true,\"Id\":\"7b5e608f-0a09-4251-8922-08d7adfc0d15\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", - "action": "Set-Mailbox", - "id": "7b5e608f-0a09-4251-8922-08d7adfc0d15", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" } }, { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", - "ip": "67.43.156.13" - }, + "@timestamp": "2020-02-10T07:37:15.000Z", "destination": { "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Set-Mailbox", + "category": [ + "web" + ], + "code": "ExchangeAdmin", + "id": "7b5e608f-0a09-4251-8922-08d7adfc0d15", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:15\",\"ExternalAccess\":true,\"Id\":\"7b5e608f-0a09-4251-8922-08d7adfc0d15\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-10T07:37:15", + "ExternalAccess": true, + "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}", "Parameters": { "Arbitration": "True", - "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "Force": "True", - "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", - "SCLQuarantineEnabled": "False", - "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", "HiddenFromAddressListsEnabled": "True", - "UseDatabaseQuotaDefaults": "False", + "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}", + "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "QuarantineMessageStore": "True", "RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", "SCLDeleteEnabled": "False", - "QuarantineMessageStore": "True", - "SCLRejectEnabled": "False", "SCLJunkEnabled": "False", - "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}" + "SCLQuarantineEnabled": "False", + "SCLRejectEnabled": "False", + "UseDatabaseQuotaDefaults": "False" }, - "AppId": "", "RecordType": "1", - "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-07T20:49:09", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-07T20:49:09.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "event": { - "ingested": "2022-01-02T03:49:51.470285345Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:09\",\"ExternalAccess\":true,\"Id\":\"7dafe4a3-487a-46ec-dadc-08d7ac0f2e06\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", - "action": "Set-Mailbox", - "id": "7dafe4a3-487a-46ec-dadc-08d7ac0f2e06", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" } }, { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", - "ip": "67.43.156.13" - }, + "@timestamp": "2020-02-07T20:49:09.000Z", "destination": { "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Set-Mailbox", + "category": [ + "web" + ], + "code": "ExchangeAdmin", + "id": "7dafe4a3-487a-46ec-dadc-08d7ac0f2e06", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:09\",\"ExternalAccess\":true,\"Id\":\"7dafe4a3-487a-46ec-dadc-08d7ac0f2e06\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-07T20:49:09", + "ExternalAccess": true, + "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}", "Parameters": { "Arbitration": "True", - "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "Force": "True", - "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", - "SCLQuarantineEnabled": "False", - "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", "HiddenFromAddressListsEnabled": "True", - "UseDatabaseQuotaDefaults": "False", + "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}", + "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "QuarantineMessageStore": "True", "RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", "SCLDeleteEnabled": "False", - "SCLRejectEnabled": "False", - "TenantAllowBlockLists": "True", "SCLJunkEnabled": "False", - "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/TenantAllowBlocLists_F0767F09-6B4C-4F78-9234-2C0481176063" + "SCLQuarantineEnabled": "False", + "SCLRejectEnabled": "False", + "UseDatabaseQuotaDefaults": "False" }, - "AppId": "", "RecordType": "1", - "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/TenantAllowBlocLists_F0767F09-6B4C-4F78-9234-2C0481176063", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-10T07:37:18", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-10T07:37:18.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "event": { - "ingested": "2022-01-02T03:49:51.470286300Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:18\",\"ExternalAccess\":true,\"Id\":\"a4912729-9b49-43b3-d21f-08d7adfc0e8e\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/TenantAllowBlocLists_F0767F09-6B4C-4F78-9234-2C0481176063\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"TenantAllowBlockLists\",\"Value\":\"True\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/TenantAllowBlocLists_F0767F09-6B4C-4F78-9234-2C0481176063\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", - "action": "Set-Mailbox", - "id": "a4912729-9b49-43b3-d21f-08d7adfc0e8e", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, - "user": { - "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" - } - }, - { "server": { "address": "67.43.156.13", "domain": "HE1PR0102MB3228", "ip": "67.43.156.13" }, - "destination": { - "ip": "67.43.156.13" - }, "tags": [ "preserve_original_event" ], - "o365": { - "audit": { - "Parameters": { - "DomainController": "", - "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com" - }, - "AppId": "", - "RecordType": "1", - "ObjectId": "testsiem.onmicrosoft.com", - "ResultStatus": "True", - "Version": "1", - "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-07T20:49:55", - "UserType": "3" - } + "user": { + "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + } + }, + { + "@timestamp": "2020-02-10T07:37:18.000Z", + "destination": { + "ip": "67.43.156.13" }, - "@timestamp": "2020-02-07T20:49:55.000Z", "ecs": { "version": "8.0.0" }, - "related": { - "ip": [ - "67.43.156.13" - ] - }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, "event": { - "ingested": "2022-01-02T03:49:51.470287159Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:55\",\"ExternalAccess\":true,\"Id\":\"514d0e07-410f-469c-a7f9-08d7ac0f496e\",\"ObjectId\":\"testsiem.onmicrosoft.com\",\"Operation\":\"Set-TenantObjectVersion\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "action": "Set-Mailbox", + "category": [ + "web" + ], "code": "ExchangeAdmin", - "provider": "Exchange", + "id": "a4912729-9b49-43b3-d21f-08d7adfc0e8e", "kind": "event", - "action": "Set-TenantObjectVersion", - "id": "514d0e07-410f-469c-a7f9-08d7ac0f496e", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:18\",\"ExternalAccess\":true,\"Id\":\"a4912729-9b49-43b3-d21f-08d7adfc0e8e\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/TenantAllowBlocLists_F0767F09-6B4C-4F78-9234-2C0481176063\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"TenantAllowBlockLists\",\"Value\":\"True\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/TenantAllowBlocLists_F0767F09-6B4C-4F78-9234-2C0481176063\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", "type": [ "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, - "user": { - "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" - } - }, - { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", - "ip": "67.43.156.13" + ] }, - "destination": { - "ip": "67.43.156.13" + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, - "tags": [ - "preserve_original_event" - ], "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-10T07:37:18", + "ExternalAccess": true, + "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/TenantAllowBlocLists_F0767F09-6B4C-4F78-9234-2C0481176063", "Parameters": { - "DomainController": "", - "Identity": "testsiem.onmicrosoft.com", - "OrganizationFederatedMailbox": "FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042@testsiem.onmicrosoft.com" + "Arbitration": "True", + "Force": "True", + "HiddenFromAddressListsEnabled": "True", + "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/TenantAllowBlocLists_F0767F09-6B4C-4F78-9234-2C0481176063", + "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", + "ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", + "SCLDeleteEnabled": "False", + "SCLJunkEnabled": "False", + "SCLQuarantineEnabled": "False", + "SCLRejectEnabled": "False", + "TenantAllowBlockLists": "True", + "UseDatabaseQuotaDefaults": "False" }, - "AppId": "", "RecordType": "1", - "ObjectId": "testsiem.onmicrosoft.com\\Transport Settings", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-10T07:37:13", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-10T07:37:13.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "event": { - "ingested": "2022-01-02T03:49:51.470288036Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:13\",\"ExternalAccess\":true,\"Id\":\"ea769bfc-fa67-465c-767a-08d7adfc0b7b\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Transport Settings\",\"Operation\":\"Set-TransportConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"testsiem.onmicrosoft.com\"},{\"Name\":\"OrganizationFederatedMailbox\",\"Value\":\"FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042@testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", - "action": "Set-TransportConfig", - "id": "ea769bfc-fa67-465c-767a-08d7adfc0b7b", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, - "user": { - "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" - } - }, - { "server": { "address": "67.43.156.13", "domain": "HE1PR0102MB3228", "ip": "67.43.156.13" }, - "destination": { - "ip": "67.43.156.13" - }, "tags": [ "preserve_original_event" ], - "o365": { - "audit": { - "Parameters": { - "DomainController": "", - "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com", - "SupervisionTags": "Reject;Allow" - }, - "AppId": "", - "RecordType": "1", - "ObjectId": "testsiem.onmicrosoft.com\\Transport Settings", - "ResultStatus": "True", - "Version": "1", - "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-10T07:37:08", - "UserType": "3" - } + "user": { + "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + } + }, + { + "@timestamp": "2020-02-07T20:49:55.000Z", + "destination": { + "ip": "67.43.156.13" }, - "@timestamp": "2020-02-10T07:37:08.000Z", "ecs": { "version": "8.0.0" }, - "related": { - "ip": [ - "67.43.156.13" - ] - }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, "event": { - "ingested": "2022-01-02T03:49:51.470288899Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:08\",\"ExternalAccess\":true,\"Id\":\"e022fa0d-13b2-4314-b707-08d7adfc0868\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Transport Settings\",\"Operation\":\"Set-TransportConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"},{\"Name\":\"SupervisionTags\",\"Value\":\"Reject;Allow\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "action": "Set-TenantObjectVersion", + "category": [ + "web" + ], "code": "ExchangeAdmin", - "provider": "Exchange", + "id": "514d0e07-410f-469c-a7f9-08d7ac0f496e", "kind": "event", - "action": "Set-TransportConfig", - "id": "e022fa0d-13b2-4314-b707-08d7adfc0868", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:55\",\"ExternalAccess\":true,\"Id\":\"514d0e07-410f-469c-a7f9-08d7ac0f496e\",\"ObjectId\":\"testsiem.onmicrosoft.com\",\"Operation\":\"Set-TenantObjectVersion\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", "type": [ "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, - "user": { - "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" - } - }, - { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", - "ip": "67.43.156.13" + ] }, - "destination": { - "ip": "67.43.156.13" + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, - "tags": [ - "preserve_original_event" - ], "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-07T20:49:55", + "ExternalAccess": true, + "ObjectId": "testsiem.onmicrosoft.com", "Parameters": { "DomainController": "", "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com" }, - "AppId": "", "RecordType": "1", - "ObjectId": "testsiem.onmicrosoft.com", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-07T20:49:55", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-07T20:49:55.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "event": { - "ingested": "2022-01-02T03:49:51.470289768Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:55\",\"ExternalAccess\":true,\"Id\":\"514d0e07-410f-469c-a7f9-08d7ac0f496e\",\"ObjectId\":\"testsiem.onmicrosoft.com\",\"Operation\":\"Set-TenantObjectVersion\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", - "action": "Set-TenantObjectVersion", - "id": "514d0e07-410f-469c-a7f9-08d7ac0f496e", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" } }, { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", - "ip": "67.43.156.13" - }, + "@timestamp": "2020-02-10T07:37:13.000Z", "destination": { "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Set-TransportConfig", + "category": [ + "web" + ], + "code": "ExchangeAdmin", + "id": "ea769bfc-fa67-465c-767a-08d7adfc0b7b", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:13\",\"ExternalAccess\":true,\"Id\":\"ea769bfc-fa67-465c-767a-08d7adfc0b7b\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Transport Settings\",\"Operation\":\"Set-TransportConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"testsiem.onmicrosoft.com\"},{\"Name\":\"OrganizationFederatedMailbox\",\"Value\":\"FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042@testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-10T07:37:13", + "ExternalAccess": true, + "ObjectId": "testsiem.onmicrosoft.com\\Transport Settings", "Parameters": { "DomainController": "", "Identity": "testsiem.onmicrosoft.com", "OrganizationFederatedMailbox": "FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042@testsiem.onmicrosoft.com" }, - "AppId": "", "RecordType": "1", - "ObjectId": "testsiem.onmicrosoft.com\\Transport Settings", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-07T20:48:52", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-07T20:48:52.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "event": { - "ingested": "2022-01-02T03:49:51.470290682Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:52\",\"ExternalAccess\":true,\"Id\":\"8a3c4f54-f2de-4717-dd56-08d7ac0f23be\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Transport Settings\",\"Operation\":\"Set-TransportConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"testsiem.onmicrosoft.com\"},{\"Name\":\"OrganizationFederatedMailbox\",\"Value\":\"FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042@testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", - "action": "Set-TransportConfig", - "id": "8a3c4f54-f2de-4717-dd56-08d7ac0f23be", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" } }, { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", - "ip": "67.43.156.13" - }, + "@timestamp": "2020-02-10T07:37:08.000Z", "destination": { "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Set-TransportConfig", + "category": [ + "web" + ], + "code": "ExchangeAdmin", + "id": "e022fa0d-13b2-4314-b707-08d7adfc0868", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:08\",\"ExternalAccess\":true,\"Id\":\"e022fa0d-13b2-4314-b707-08d7adfc0868\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Transport Settings\",\"Operation\":\"Set-TransportConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"},{\"Name\":\"SupervisionTags\",\"Value\":\"Reject;Allow\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-10T07:37:08", + "ExternalAccess": true, + "ObjectId": "testsiem.onmicrosoft.com\\Transport Settings", "Parameters": { - "Arbitration": "True", - "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", - "Force": "True", - "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", - "SCLQuarantineEnabled": "False", - "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", - "HiddenFromAddressListsEnabled": "True", - "UseDatabaseQuotaDefaults": "False", - "OMEncryptionStore": "True", - "ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", - "RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", - "SCLDeleteEnabled": "False", - "SCLRejectEnabled": "False", - "SCLJunkEnabled": "False", - "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{D0E409A0-AF9B-4720-92FE-AAC869B0D201}" + "DomainController": "", + "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com", + "SupervisionTags": "Reject;Allow" }, - "AppId": "", "RecordType": "1", - "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{D0E409A0-AF9B-4720-92FE-AAC869B0D201}", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-07T20:48:49", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-07T20:48:49.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "event": { - "ingested": "2022-01-02T03:49:51.470291606Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:49\",\"ExternalAccess\":true,\"Id\":\"9eb764a6-fee5-4c3a-6adc-08d7ac0f220f\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{D0E409A0-AF9B-4720-92FE-AAC869B0D201}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"OMEncryptionStore\",\"Value\":\"True\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{D0E409A0-AF9B-4720-92FE-AAC869B0D201}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", - "action": "Set-Mailbox", - "id": "9eb764a6-fee5-4c3a-6adc-08d7ac0f220f", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" } }, { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", - "ip": "67.43.156.13" - }, + "@timestamp": "2020-02-07T20:49:55.000Z", "destination": { "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Set-TenantObjectVersion", + "category": [ + "web" + ], + "code": "ExchangeAdmin", + "id": "514d0e07-410f-469c-a7f9-08d7ac0f496e", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:55\",\"ExternalAccess\":true,\"Id\":\"514d0e07-410f-469c-a7f9-08d7ac0f496e\",\"ObjectId\":\"testsiem.onmicrosoft.com\",\"Operation\":\"Set-TenantObjectVersion\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-07T20:49:55", + "ExternalAccess": true, + "ObjectId": "testsiem.onmicrosoft.com", "Parameters": { - "Arbitration": "True", - "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", - "Force": "True", - "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", - "SCLQuarantineEnabled": "False", - "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", - "HiddenFromAddressListsEnabled": "True", - "UseDatabaseQuotaDefaults": "False", - "ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", - "RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", - "SCLDeleteEnabled": "False", - "SCLRejectEnabled": "False", - "TenantAllowBlockLists": "True", - "SCLJunkEnabled": "False", - "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/TenantAllowBlocLists_F0767F09-6B4C-4F78-9234-2C0481176063" + "DomainController": "", + "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com" }, - "AppId": "", "RecordType": "1", - "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/TenantAllowBlocLists_F0767F09-6B4C-4F78-9234-2C0481176063", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-10T07:37:18", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-10T07:37:18.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "event": { - "ingested": "2022-01-02T03:49:51.470292705Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:18\",\"ExternalAccess\":true,\"Id\":\"a4912729-9b49-43b3-d21f-08d7adfc0e8e\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/TenantAllowBlocLists_F0767F09-6B4C-4F78-9234-2C0481176063\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"TenantAllowBlockLists\",\"Value\":\"True\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/TenantAllowBlocLists_F0767F09-6B4C-4F78-9234-2C0481176063\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", - "action": "Set-Mailbox", - "id": "a4912729-9b49-43b3-d21f-08d7adfc0e8e", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" } }, { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", - "ip": "67.43.156.13" - }, + "@timestamp": "2020-02-07T20:48:52.000Z", "destination": { "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Set-TransportConfig", + "category": [ + "web" + ], + "code": "ExchangeAdmin", + "id": "8a3c4f54-f2de-4717-dd56-08d7ac0f23be", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:52\",\"ExternalAccess\":true,\"Id\":\"8a3c4f54-f2de-4717-dd56-08d7ac0f23be\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Transport Settings\",\"Operation\":\"Set-TransportConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"testsiem.onmicrosoft.com\"},{\"Name\":\"OrganizationFederatedMailbox\",\"Value\":\"FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042@testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-07T20:48:52", + "ExternalAccess": true, + "ObjectId": "testsiem.onmicrosoft.com\\Transport Settings", "Parameters": { - "Arbitration": "True", - "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", - "Force": "True", - "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", - "SCLQuarantineEnabled": "False", - "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", - "HiddenFromAddressListsEnabled": "True", - "UseDatabaseQuotaDefaults": "False", - "ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", - "RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", - "SCLDeleteEnabled": "False", - "QuarantineMessageStore": "True", - "SCLRejectEnabled": "False", - "SCLJunkEnabled": "False", - "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}" + "DomainController": "", + "Identity": "testsiem.onmicrosoft.com", + "OrganizationFederatedMailbox": "FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042@testsiem.onmicrosoft.com" }, - "AppId": "", "RecordType": "1", - "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-07T20:48:56", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-07T20:48:56.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "event": { - "ingested": "2022-01-02T03:49:51.470293633Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:56\",\"ExternalAccess\":true,\"Id\":\"d83e97f0-951c-4ccc-630e-08d7ac0f267e\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", - "action": "Set-Mailbox", - "id": "d83e97f0-951c-4ccc-630e-08d7ac0f267e", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" } }, { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", - "ip": "67.43.156.13" - }, + "@timestamp": "2020-02-07T20:48:49.000Z", "destination": { "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Set-Mailbox", + "category": [ + "web" + ], + "code": "ExchangeAdmin", + "id": "9eb764a6-fee5-4c3a-6adc-08d7ac0f220f", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:49\",\"ExternalAccess\":true,\"Id\":\"9eb764a6-fee5-4c3a-6adc-08d7ac0f220f\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{D0E409A0-AF9B-4720-92FE-AAC869B0D201}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"OMEncryptionStore\",\"Value\":\"True\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{D0E409A0-AF9B-4720-92FE-AAC869B0D201}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-07T20:48:49", + "ExternalAccess": true, + "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{D0E409A0-AF9B-4720-92FE-AAC869B0D201}", "Parameters": { "Arbitration": "True", - "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "Force": "True", - "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", - "SCLQuarantineEnabled": "False", - "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", "HiddenFromAddressListsEnabled": "True", - "UseDatabaseQuotaDefaults": "False", + "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{D0E409A0-AF9B-4720-92FE-AAC869B0D201}", + "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", + "OMEncryptionStore": "True", "ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", "RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", "SCLDeleteEnabled": "False", - "QuarantineMessageStore": "True", - "SCLRejectEnabled": "False", "SCLJunkEnabled": "False", - "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}" + "SCLQuarantineEnabled": "False", + "SCLRejectEnabled": "False", + "UseDatabaseQuotaDefaults": "False" }, - "AppId": "", "RecordType": "1", - "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-10T07:37:17", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-10T07:37:17.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "event": { - "ingested": "2022-01-02T03:49:51.470294498Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:17\",\"ExternalAccess\":true,\"Id\":\"2cbbd2bb-607e-49b1-c02c-08d7adfc0e1c\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", - "action": "Set-Mailbox", - "id": "2cbbd2bb-607e-49b1-c02c-08d7adfc0e1c", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" } }, { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", - "ip": "67.43.156.13" - }, + "@timestamp": "2020-02-10T07:37:18.000Z", "destination": { "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Set-Mailbox", + "category": [ + "web" + ], + "code": "ExchangeAdmin", + "id": "a4912729-9b49-43b3-d21f-08d7adfc0e8e", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:18\",\"ExternalAccess\":true,\"Id\":\"a4912729-9b49-43b3-d21f-08d7adfc0e8e\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/TenantAllowBlocLists_F0767F09-6B4C-4F78-9234-2C0481176063\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"TenantAllowBlockLists\",\"Value\":\"True\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/TenantAllowBlocLists_F0767F09-6B4C-4F78-9234-2C0481176063\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-10T07:37:18", + "ExternalAccess": true, + "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/TenantAllowBlocLists_F0767F09-6B4C-4F78-9234-2C0481176063", "Parameters": { "Arbitration": "True", - "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "Force": "True", - "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", - "SCLQuarantineEnabled": "False", - "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", "HiddenFromAddressListsEnabled": "True", - "UseDatabaseQuotaDefaults": "False", + "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/TenantAllowBlocLists_F0767F09-6B4C-4F78-9234-2C0481176063", + "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", "RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", "SCLDeleteEnabled": "False", - "QuarantineMessageStore": "True", - "SCLRejectEnabled": "False", "SCLJunkEnabled": "False", - "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}" + "SCLQuarantineEnabled": "False", + "SCLRejectEnabled": "False", + "TenantAllowBlockLists": "True", + "UseDatabaseQuotaDefaults": "False" }, - "AppId": "", "RecordType": "1", - "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-07T20:48:57", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-07T20:48:57.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "event": { - "ingested": "2022-01-02T03:49:51.470295357Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:57\",\"ExternalAccess\":true,\"Id\":\"165a283d-6f9b-4dc2-1b86-08d7ac0f273c\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", - "action": "Set-Mailbox", - "id": "165a283d-6f9b-4dc2-1b86-08d7ac0f273c", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" } }, { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", - "ip": "67.43.156.13" - }, + "@timestamp": "2020-02-07T20:48:56.000Z", "destination": { "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Set-Mailbox", + "category": [ + "web" + ], + "code": "ExchangeAdmin", + "id": "d83e97f0-951c-4ccc-630e-08d7ac0f267e", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:56\",\"ExternalAccess\":true,\"Id\":\"d83e97f0-951c-4ccc-630e-08d7ac0f267e\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-07T20:48:56", + "ExternalAccess": true, + "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}", "Parameters": { "Arbitration": "True", - "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "Force": "True", - "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", - "SCLQuarantineEnabled": "False", - "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", "HiddenFromAddressListsEnabled": "True", - "UseDatabaseQuotaDefaults": "False", + "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}", + "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "QuarantineMessageStore": "True", "RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", "SCLDeleteEnabled": "False", - "QuarantineMessageStore": "True", - "SCLRejectEnabled": "False", "SCLJunkEnabled": "False", - "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}" + "SCLQuarantineEnabled": "False", + "SCLRejectEnabled": "False", + "UseDatabaseQuotaDefaults": "False" }, - "AppId": "", "RecordType": "1", - "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-07T20:49:16", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-07T20:49:16.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "event": { - "ingested": "2022-01-02T03:49:51.470296219Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:16\",\"ExternalAccess\":true,\"Id\":\"979931d3-c99d-45b1-14e1-08d7ac0f3209\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", - "action": "Set-Mailbox", - "id": "979931d3-c99d-45b1-14e1-08d7ac0f3209", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" } }, { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", - "ip": "67.43.156.13" - }, + "@timestamp": "2020-02-10T07:37:17.000Z", "destination": { "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], - "o365": { - "audit": { - "Parameters": { - "Arbitration": "True", - "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", - "Force": "True", - "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", - "SCLQuarantineEnabled": "False", - "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", - "HiddenFromAddressListsEnabled": "True", - "UseDatabaseQuotaDefaults": "False", - "ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", - "RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", - "SCLDeleteEnabled": "False", - "QuarantineMessageStore": "True", - "SCLRejectEnabled": "False", - "SCLJunkEnabled": "False", - "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}" - }, - "AppId": "", - "RecordType": "1", - "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}", - "ResultStatus": "True", - "Version": "1", - "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-07T20:49:20", - "UserType": "3" - } - }, - "@timestamp": "2020-02-07T20:49:20.000Z", "ecs": { "version": "8.0.0" }, - "related": { - "ip": [ - "67.43.156.13" - ] - }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, "event": { - "ingested": "2022-01-02T03:49:51.470297162Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:20\",\"ExternalAccess\":true,\"Id\":\"4bddac31-664e-4432-d181-08d7ac0f34d2\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", "action": "Set-Mailbox", - "id": "4bddac31-664e-4432-d181-08d7ac0f34d2", - "type": [ - "info" - ], "category": [ "web" ], - "outcome": "success" - }, - "user": { - "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" - } - }, - { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", - "ip": "67.43.156.13" + "code": "ExchangeAdmin", + "id": "2cbbd2bb-607e-49b1-c02c-08d7adfc0e1c", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:17\",\"ExternalAccess\":true,\"Id\":\"2cbbd2bb-607e-49b1-c02c-08d7adfc0e1c\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] }, - "destination": { - "ip": "67.43.156.13" + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, - "tags": [ - "preserve_original_event" - ], "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-10T07:37:17", + "ExternalAccess": true, + "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}", "Parameters": { "Arbitration": "True", - "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "Force": "True", - "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", - "SCLQuarantineEnabled": "False", - "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", "HiddenFromAddressListsEnabled": "True", - "UseDatabaseQuotaDefaults": "False", + "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}", + "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "QuarantineMessageStore": "True", "RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", "SCLDeleteEnabled": "False", - "QuarantineMessageStore": "True", - "SCLRejectEnabled": "False", "SCLJunkEnabled": "False", - "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}" + "SCLQuarantineEnabled": "False", + "SCLRejectEnabled": "False", + "UseDatabaseQuotaDefaults": "False" }, - "AppId": "", "RecordType": "1", - "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-07T20:49:14", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-07T20:49:14.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "event": { - "ingested": "2022-01-02T03:49:51.470298065Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:14\",\"ExternalAccess\":true,\"Id\":\"4d2e1010-489d-4aa0-e300-08d7ac0f314c\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", - "action": "Set-Mailbox", - "id": "4d2e1010-489d-4aa0-e300-08d7ac0f314c", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" } }, { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", - "ip": "67.43.156.13" - }, + "@timestamp": "2020-02-07T20:48:57.000Z", "destination": { "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Set-Mailbox", + "category": [ + "web" + ], + "code": "ExchangeAdmin", + "id": "165a283d-6f9b-4dc2-1b86-08d7ac0f273c", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:57\",\"ExternalAccess\":true,\"Id\":\"165a283d-6f9b-4dc2-1b86-08d7ac0f273c\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-07T20:48:57", + "ExternalAccess": true, + "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}", "Parameters": { "Arbitration": "True", - "IssueWarningQuota": "9 GB (9,663,676,416 bytes)", "Force": "True", - "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", - "ProhibitSendReceiveQuota": "10 GB (10,737,418,240 bytes)", - "SCLQuarantineEnabled": "False", - "Migration": "True", "HiddenFromAddressListsEnabled": "True", - "UseDatabaseQuotaDefaults": "False", - "Management": "True", - "ProhibitSendQuota": "10 GB (10,737,418,240 bytes)", + "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}", + "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", + "ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "QuarantineMessageStore": "True", "RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", "SCLDeleteEnabled": "False", - "SCLRejectEnabled": "False", "SCLJunkEnabled": "False", - "DisplayName": "Microsoft Exchange Migration", - "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136" + "SCLQuarantineEnabled": "False", + "SCLRejectEnabled": "False", + "UseDatabaseQuotaDefaults": "False" }, - "AppId": "", "RecordType": "1", - "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-07T20:48:44", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-07T20:48:44.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "event": { - "ingested": "2022-01-02T03:49:51.470299029Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:44\",\"ExternalAccess\":true,\"Id\":\"e79cb83c-25b7-4777-57f0-08d7ac0f1f74\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"Management\",\"Value\":\"True\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"DisplayName\",\"Value\":\"Microsoft Exchange Migration\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"9 GB (9,663,676,416 bytes)\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"Migration\",\"Value\":\"True\"},{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", - "action": "Set-Mailbox", - "id": "e79cb83c-25b7-4777-57f0-08d7ac0f1f74", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" } }, { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", - "ip": "67.43.156.13" - }, + "@timestamp": "2020-02-07T20:49:16.000Z", "destination": { "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Set-Mailbox", + "category": [ + "web" + ], + "code": "ExchangeAdmin", + "id": "979931d3-c99d-45b1-14e1-08d7ac0f3209", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:16\",\"ExternalAccess\":true,\"Id\":\"979931d3-c99d-45b1-14e1-08d7ac0f3209\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-07T20:49:16", + "ExternalAccess": true, + "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}", "Parameters": { "Arbitration": "True", - "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "Force": "True", - "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", - "SCLQuarantineEnabled": "False", - "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", "HiddenFromAddressListsEnabled": "True", - "UseDatabaseQuotaDefaults": "False", + "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}", + "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "QuarantineMessageStore": "True", "RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", "SCLDeleteEnabled": "False", - "QuarantineMessageStore": "True", - "SCLRejectEnabled": "False", "SCLJunkEnabled": "False", - "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}" + "SCLQuarantineEnabled": "False", + "SCLRejectEnabled": "False", + "UseDatabaseQuotaDefaults": "False" }, - "AppId": "", "RecordType": "1", - "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-10T07:37:14", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-10T07:37:14.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "event": { - "ingested": "2022-01-02T03:49:51.470299882Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:14\",\"ExternalAccess\":true,\"Id\":\"ee2a5c48-f068-4672-3e34-08d7adfc0bf4\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", - "action": "Set-Mailbox", - "id": "ee2a5c48-f068-4672-3e34-08d7adfc0bf4", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" } }, { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", - "ip": "67.43.156.13" - }, + "@timestamp": "2020-02-07T20:49:20.000Z", "destination": { "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Set-Mailbox", + "category": [ + "web" + ], + "code": "ExchangeAdmin", + "id": "4bddac31-664e-4432-d181-08d7ac0f34d2", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:20\",\"ExternalAccess\":true,\"Id\":\"4bddac31-664e-4432-d181-08d7ac0f34d2\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-07T20:49:20", + "ExternalAccess": true, + "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}", "Parameters": { "Arbitration": "True", - "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "Force": "True", - "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", - "SCLQuarantineEnabled": "False", - "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", "HiddenFromAddressListsEnabled": "True", - "UseDatabaseQuotaDefaults": "False", + "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}", + "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "QuarantineMessageStore": "True", "RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", "SCLDeleteEnabled": "False", - "QuarantineMessageStore": "True", - "SCLRejectEnabled": "False", "SCLJunkEnabled": "False", - "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}" + "SCLQuarantineEnabled": "False", + "SCLRejectEnabled": "False", + "UseDatabaseQuotaDefaults": "False" }, - "AppId": "", "RecordType": "1", - "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-10T07:37:14", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-10T07:37:14.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "event": { - "ingested": "2022-01-02T03:49:51.470300901Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:14\",\"ExternalAccess\":true,\"Id\":\"d3533d4d-f62f-4731-d0c9-08d7adfc0c7b\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", - "action": "Set-Mailbox", - "id": "d3533d4d-f62f-4731-d0c9-08d7adfc0c7b", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" } }, { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", - "ip": "67.43.156.13" - }, + "@timestamp": "2020-02-07T20:49:14.000Z", "destination": { "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Set-Mailbox", + "category": [ + "web" + ], + "code": "ExchangeAdmin", + "id": "4d2e1010-489d-4aa0-e300-08d7ac0f314c", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:14\",\"ExternalAccess\":true,\"Id\":\"4d2e1010-489d-4aa0-e300-08d7ac0f314c\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-07T20:49:14", + "ExternalAccess": true, + "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}", "Parameters": { "Arbitration": "True", - "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "Force": "True", - "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", - "SCLQuarantineEnabled": "False", - "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", "HiddenFromAddressListsEnabled": "True", - "UseDatabaseQuotaDefaults": "False", + "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}", + "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "QuarantineMessageStore": "True", "RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", "SCLDeleteEnabled": "False", - "QuarantineMessageStore": "True", - "SCLRejectEnabled": "False", "SCLJunkEnabled": "False", - "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}" + "SCLQuarantineEnabled": "False", + "SCLRejectEnabled": "False", + "UseDatabaseQuotaDefaults": "False" }, - "AppId": "", "RecordType": "1", - "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-07T20:49:20", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-07T20:49:20.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "event": { - "ingested": "2022-01-02T03:49:51.470301814Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:20\",\"ExternalAccess\":true,\"Id\":\"b9f4dff2-c7f5-41eb-eae8-08d7ac0f3492\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", - "action": "Set-Mailbox", - "id": "b9f4dff2-c7f5-41eb-eae8-08d7ac0f3492", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" } }, { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", - "ip": "67.43.156.13" - }, + "@timestamp": "2020-02-07T20:48:44.000Z", "destination": { "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Set-Mailbox", + "category": [ + "web" + ], + "code": "ExchangeAdmin", + "id": "e79cb83c-25b7-4777-57f0-08d7ac0f1f74", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:44\",\"ExternalAccess\":true,\"Id\":\"e79cb83c-25b7-4777-57f0-08d7ac0f1f74\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"Management\",\"Value\":\"True\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"DisplayName\",\"Value\":\"Microsoft Exchange Migration\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"9 GB (9,663,676,416 bytes)\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"Migration\",\"Value\":\"True\"},{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-07T20:48:44", + "ExternalAccess": true, + "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136", "Parameters": { "Arbitration": "True", - "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", + "DisplayName": "Microsoft Exchange Migration", "Force": "True", - "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", - "SCLQuarantineEnabled": "False", - "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", "HiddenFromAddressListsEnabled": "True", - "UseDatabaseQuotaDefaults": "False", - "ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136", + "IssueWarningQuota": "9 GB (9,663,676,416 bytes)", + "Management": "True", + "Migration": "True", + "ProhibitSendQuota": "10 GB (10,737,418,240 bytes)", + "ProhibitSendReceiveQuota": "10 GB (10,737,418,240 bytes)", "RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", "SCLDeleteEnabled": "False", - "QuarantineMessageStore": "True", - "SCLRejectEnabled": "False", "SCLJunkEnabled": "False", - "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}" + "SCLQuarantineEnabled": "False", + "SCLRejectEnabled": "False", + "UseDatabaseQuotaDefaults": "False" }, - "AppId": "", "RecordType": "1", - "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-07T20:49:08", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-07T20:49:08.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "event": { - "ingested": "2022-01-02T03:49:51.470302798Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:08\",\"ExternalAccess\":true,\"Id\":\"bc03d223-966c-4e33-6cf7-08d7ac0f2d88\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", - "action": "Set-Mailbox", - "id": "bc03d223-966c-4e33-6cf7-08d7ac0f2d88", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" } }, { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", - "ip": "67.43.156.13" - }, + "@timestamp": "2020-02-10T07:37:14.000Z", "destination": { "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Set-Mailbox", + "category": [ + "web" + ], + "code": "ExchangeAdmin", + "id": "ee2a5c48-f068-4672-3e34-08d7adfc0bf4", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:14\",\"ExternalAccess\":true,\"Id\":\"ee2a5c48-f068-4672-3e34-08d7adfc0bf4\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-10T07:37:14", + "ExternalAccess": true, + "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}", "Parameters": { "Arbitration": "True", - "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "Force": "True", - "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", - "SCLQuarantineEnabled": "False", - "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", "HiddenFromAddressListsEnabled": "True", - "UseDatabaseQuotaDefaults": "False", + "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}", + "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "QuarantineMessageStore": "True", "RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", "SCLDeleteEnabled": "False", - "QuarantineMessageStore": "True", - "SCLRejectEnabled": "False", "SCLJunkEnabled": "False", - "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}" + "SCLQuarantineEnabled": "False", + "SCLRejectEnabled": "False", + "UseDatabaseQuotaDefaults": "False" }, - "AppId": "", "RecordType": "1", - "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-07T20:49:20", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-07T20:49:20.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "event": { - "ingested": "2022-01-02T03:49:51.470303802Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:20\",\"ExternalAccess\":true,\"Id\":\"b9f4dff2-c7f5-41eb-eae8-08d7ac0f3492\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", - "action": "Set-Mailbox", - "id": "b9f4dff2-c7f5-41eb-eae8-08d7ac0f3492", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" } }, { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", - "ip": "67.43.156.13" - }, + "@timestamp": "2020-02-10T07:37:14.000Z", "destination": { "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Set-Mailbox", + "category": [ + "web" + ], + "code": "ExchangeAdmin", + "id": "d3533d4d-f62f-4731-d0c9-08d7adfc0c7b", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:14\",\"ExternalAccess\":true,\"Id\":\"d3533d4d-f62f-4731-d0c9-08d7adfc0c7b\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-10T07:37:14", + "ExternalAccess": true, + "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}", "Parameters": { "Arbitration": "True", - "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "Force": "True", - "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", - "SCLQuarantineEnabled": "False", - "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", "HiddenFromAddressListsEnabled": "True", - "UseDatabaseQuotaDefaults": "False", + "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}", + "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "QuarantineMessageStore": "True", "RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", "SCLDeleteEnabled": "False", - "QuarantineMessageStore": "True", - "SCLRejectEnabled": "False", "SCLJunkEnabled": "False", - "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}" + "SCLQuarantineEnabled": "False", + "SCLRejectEnabled": "False", + "UseDatabaseQuotaDefaults": "False" }, - "AppId": "", "RecordType": "1", - "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-07T20:49:09", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-07T20:49:09.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "event": { - "ingested": "2022-01-02T03:49:51.470304680Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:09\",\"ExternalAccess\":true,\"Id\":\"7a500a7f-cc56-4dfd-d740-08d7ac0f2e45\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", - "action": "Set-Mailbox", - "id": "7a500a7f-cc56-4dfd-d740-08d7ac0f2e45", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" } }, { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", - "ip": "67.43.156.13" - }, + "@timestamp": "2020-02-07T20:49:20.000Z", "destination": { "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Set-Mailbox", + "category": [ + "web" + ], + "code": "ExchangeAdmin", + "id": "b9f4dff2-c7f5-41eb-eae8-08d7ac0f3492", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:20\",\"ExternalAccess\":true,\"Id\":\"b9f4dff2-c7f5-41eb-eae8-08d7ac0f3492\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-07T20:49:20", + "ExternalAccess": true, + "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}", "Parameters": { "Arbitration": "True", - "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "Force": "True", - "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", - "SCLQuarantineEnabled": "False", - "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", "HiddenFromAddressListsEnabled": "True", - "UseDatabaseQuotaDefaults": "False", + "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}", + "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "QuarantineMessageStore": "True", "RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", "SCLDeleteEnabled": "False", - "QuarantineMessageStore": "True", - "SCLRejectEnabled": "False", "SCLJunkEnabled": "False", - "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}" + "SCLQuarantineEnabled": "False", + "SCLRejectEnabled": "False", + "UseDatabaseQuotaDefaults": "False" }, - "AppId": "", "RecordType": "1", - "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-07T20:49:10", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-07T20:49:10.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "event": { - "ingested": "2022-01-02T03:49:51.470305545Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:10\",\"ExternalAccess\":true,\"Id\":\"6047e3da-8661-44a4-6fd2-08d7ac0f2e85\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", - "action": "Set-Mailbox", - "id": "6047e3da-8661-44a4-6fd2-08d7ac0f2e85", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" } }, { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", - "ip": "67.43.156.13" - }, + "@timestamp": "2020-02-07T20:49:08.000Z", "destination": { "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Set-Mailbox", + "category": [ + "web" + ], + "code": "ExchangeAdmin", + "id": "bc03d223-966c-4e33-6cf7-08d7ac0f2d88", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:08\",\"ExternalAccess\":true,\"Id\":\"bc03d223-966c-4e33-6cf7-08d7ac0f2d88\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "o365": { "audit": { - "Parameters": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-07T20:49:08", + "ExternalAccess": true, + "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}", + "Parameters": { "Arbitration": "True", - "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "Force": "True", - "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", - "SCLQuarantineEnabled": "False", - "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", "HiddenFromAddressListsEnabled": "True", - "UseDatabaseQuotaDefaults": "False", + "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}", + "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "QuarantineMessageStore": "True", "RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", "SCLDeleteEnabled": "False", - "QuarantineMessageStore": "True", - "SCLRejectEnabled": "False", "SCLJunkEnabled": "False", - "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}" + "SCLQuarantineEnabled": "False", + "SCLRejectEnabled": "False", + "UseDatabaseQuotaDefaults": "False" }, - "AppId": "", "RecordType": "1", - "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-07T20:49:21", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-07T20:49:21.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "event": { - "ingested": "2022-01-02T03:49:51.470306449Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:21\",\"ExternalAccess\":true,\"Id\":\"a61cdc9a-89ef-402b-102c-08d7ac0f3592\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", - "action": "Set-Mailbox", - "id": "a61cdc9a-89ef-402b-102c-08d7ac0f3592", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" } }, { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", - "ip": "67.43.156.13" - }, + "@timestamp": "2020-02-07T20:49:20.000Z", "destination": { "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Set-Mailbox", + "category": [ + "web" + ], + "code": "ExchangeAdmin", + "id": "b9f4dff2-c7f5-41eb-eae8-08d7ac0f3492", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:20\",\"ExternalAccess\":true,\"Id\":\"b9f4dff2-c7f5-41eb-eae8-08d7ac0f3492\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-07T20:49:20", + "ExternalAccess": true, + "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}", "Parameters": { "Arbitration": "True", - "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "Force": "True", - "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", - "SCLQuarantineEnabled": "False", - "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", "HiddenFromAddressListsEnabled": "True", - "UseDatabaseQuotaDefaults": "False", + "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}", + "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "QuarantineMessageStore": "True", "RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", "SCLDeleteEnabled": "False", - "QuarantineMessageStore": "True", - "SCLRejectEnabled": "False", "SCLJunkEnabled": "False", - "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}" + "SCLQuarantineEnabled": "False", + "SCLRejectEnabled": "False", + "UseDatabaseQuotaDefaults": "False" }, - "AppId": "", "RecordType": "1", - "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-10T07:37:14", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-10T07:37:14.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "event": { - "ingested": "2022-01-02T03:49:51.470307306Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:14\",\"ExternalAccess\":true,\"Id\":\"d16f181c-257c-4d40-45e1-08d7adfc0c02\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", - "action": "Set-Mailbox", - "id": "d16f181c-257c-4d40-45e1-08d7adfc0c02", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" } }, { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", - "ip": "67.43.156.13" - }, + "@timestamp": "2020-02-07T20:49:09.000Z", "destination": { "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Set-Mailbox", + "category": [ + "web" + ], + "code": "ExchangeAdmin", + "id": "7a500a7f-cc56-4dfd-d740-08d7ac0f2e45", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:09\",\"ExternalAccess\":true,\"Id\":\"7a500a7f-cc56-4dfd-d740-08d7ac0f2e45\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-07T20:49:09", + "ExternalAccess": true, + "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}", "Parameters": { - "MailRouting": "True", - "OABGen": "True", "Arbitration": "True", "Force": "True", - "OMEncryption": "True", - "GMGen": "True", - "ClientExtensions": "True", - "MaxSendSize": "1 GB (1,073,741,824 bytes)", - "SuiteServiceStorage": "True", - "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}", - "UMGrammar": "True", - "MessageTracking": "True" + "HiddenFromAddressListsEnabled": "True", + "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}", + "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", + "ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "QuarantineMessageStore": "True", + "RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", + "SCLDeleteEnabled": "False", + "SCLJunkEnabled": "False", + "SCLQuarantineEnabled": "False", + "SCLRejectEnabled": "False", + "UseDatabaseQuotaDefaults": "False" }, - "AppId": "", "RecordType": "1", - "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-07T20:48:42", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-07T20:48:42.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "event": { - "ingested": "2022-01-02T03:49:51.470308583Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:42\",\"ExternalAccess\":true,\"Id\":\"27fdc2ec-edbd-445c-92bd-08d7ac0f1dc6\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"UMGrammar\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"MaxSendSize\",\"Value\":\"1 GB (1,073,741,824 bytes)\"},{\"Name\":\"MailRouting\",\"Value\":\"True\"},{\"Name\":\"MessageTracking\",\"Value\":\"True\"},{\"Name\":\"OMEncryption\",\"Value\":\"True\"},{\"Name\":\"OABGen\",\"Value\":\"True\"},{\"Name\":\"ClientExtensions\",\"Value\":\"True\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}\"},{\"Name\":\"GMGen\",\"Value\":\"True\"},{\"Name\":\"SuiteServiceStorage\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", - "action": "Set-Mailbox", - "id": "27fdc2ec-edbd-445c-92bd-08d7ac0f1dc6", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, - "user": { - "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" - } - }, - { "server": { "address": "67.43.156.13", "domain": "HE1PR0102MB3228", "ip": "67.43.156.13" }, - "destination": { - "ip": "67.43.156.13" - }, "tags": [ "preserve_original_event" ], - "o365": { - "audit": { - "Parameters": { - "DomainController": "", - "IgnoreDehydratedFlag": "True", - "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com", - "AdminAuditLogEnabled": "True" - }, - "AppId": "", - "RecordType": "1", - "ObjectId": "testsiem.onmicrosoft.com\\Admin Audit Log Settings", - "ResultStatus": "True", - "Version": "1", - "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-07T20:49:55", - "UserType": "3" - } + "user": { + "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + } + }, + { + "@timestamp": "2020-02-07T20:49:10.000Z", + "destination": { + "ip": "67.43.156.13" }, - "@timestamp": "2020-02-07T20:49:55.000Z", "ecs": { "version": "8.0.0" }, - "related": { - "ip": [ - "67.43.156.13" - ] - }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, "event": { - "ingested": "2022-01-02T03:49:51.470309505Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:55\",\"ExternalAccess\":true,\"Id\":\"0caecd44-0161-44e5-0e45-08d7ac0f49d6\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Admin Audit Log Settings\",\"Operation\":\"Set-AdminAuditLogConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"IgnoreDehydratedFlag\",\"Value\":\"True\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"},{\"Name\":\"AdminAuditLogEnabled\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "action": "Set-Mailbox", + "category": [ + "web" + ], "code": "ExchangeAdmin", - "provider": "Exchange", + "id": "6047e3da-8661-44a4-6fd2-08d7ac0f2e85", "kind": "event", - "action": "Set-AdminAuditLogConfig", - "id": "0caecd44-0161-44e5-0e45-08d7ac0f49d6", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:10\",\"ExternalAccess\":true,\"Id\":\"6047e3da-8661-44a4-6fd2-08d7ac0f2e85\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", "type": [ "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, - "user": { - "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" - } - }, - { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", - "ip": "67.43.156.13" + ] }, - "destination": { - "ip": "67.43.156.13" + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, - "tags": [ - "preserve_original_event" - ], "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-07T20:49:10", + "ExternalAccess": true, + "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}", "Parameters": { - "DomainController": "", - "Identity": "testsiem.onmicrosoft.com", - "HygieneSuite": "Premium" + "Arbitration": "True", + "Force": "True", + "HiddenFromAddressListsEnabled": "True", + "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}", + "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", + "ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "QuarantineMessageStore": "True", + "RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", + "SCLDeleteEnabled": "False", + "SCLJunkEnabled": "False", + "SCLQuarantineEnabled": "False", + "SCLRejectEnabled": "False", + "UseDatabaseQuotaDefaults": "False" }, - "AppId": "", "RecordType": "1", - "ObjectId": "testsiem.onmicrosoft.com\\Transport Settings", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-07T20:49:52", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-07T20:49:52.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "event": { - "ingested": "2022-01-02T03:49:51.470310400Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:52\",\"ExternalAccess\":true,\"Id\":\"fd804781-7d7f-4d3a-1ef0-08d7ac0f47e4\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Transport Settings\",\"Operation\":\"Set-TransportConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"testsiem.onmicrosoft.com\"},{\"Name\":\"HygieneSuite\",\"Value\":\"Premium\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", - "action": "Set-TransportConfig", - "id": "fd804781-7d7f-4d3a-1ef0-08d7ac0f47e4", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" } }, { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", - "ip": "67.43.156.13" - }, + "@timestamp": "2020-02-07T20:49:21.000Z", "destination": { "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Set-Mailbox", + "category": [ + "web" + ], + "code": "ExchangeAdmin", + "id": "a61cdc9a-89ef-402b-102c-08d7ac0f3592", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:21\",\"ExternalAccess\":true,\"Id\":\"a61cdc9a-89ef-402b-102c-08d7ac0f3592\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-07T20:49:21", + "ExternalAccess": true, + "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}", "Parameters": { - "DomainController": "", - "Identity": "testsiem.onmicrosoft.com", - "OrganizationFederatedMailbox": "FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042@testsiem.onmicrosoft.com" + "Arbitration": "True", + "Force": "True", + "HiddenFromAddressListsEnabled": "True", + "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}", + "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", + "ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "QuarantineMessageStore": "True", + "RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", + "SCLDeleteEnabled": "False", + "SCLJunkEnabled": "False", + "SCLQuarantineEnabled": "False", + "SCLRejectEnabled": "False", + "UseDatabaseQuotaDefaults": "False" }, - "AppId": "", "RecordType": "1", - "ObjectId": "testsiem.onmicrosoft.com\\Transport Settings", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-07T20:48:52", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-07T20:48:52.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "event": { - "ingested": "2022-01-02T03:49:51.470311258Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:52\",\"ExternalAccess\":true,\"Id\":\"8a3c4f54-f2de-4717-dd56-08d7ac0f23be\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Transport Settings\",\"Operation\":\"Set-TransportConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"testsiem.onmicrosoft.com\"},{\"Name\":\"OrganizationFederatedMailbox\",\"Value\":\"FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042@testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", - "action": "Set-TransportConfig", - "id": "8a3c4f54-f2de-4717-dd56-08d7ac0f23be", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" } }, { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", - "ip": "67.43.156.13" - }, + "@timestamp": "2020-02-10T07:37:14.000Z", "destination": { "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Set-Mailbox", + "category": [ + "web" + ], + "code": "ExchangeAdmin", + "id": "d16f181c-257c-4d40-45e1-08d7adfc0c02", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:14\",\"ExternalAccess\":true,\"Id\":\"d16f181c-257c-4d40-45e1-08d7adfc0c02\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-10T07:37:14", + "ExternalAccess": true, + "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}", "Parameters": { - "DomainController": "", - "IgnoreDehydratedFlag": "True", - "Organization": "testsiem.onmicrosoft.com" + "Arbitration": "True", + "Force": "True", + "HiddenFromAddressListsEnabled": "True", + "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}", + "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", + "ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "QuarantineMessageStore": "True", + "RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", + "SCLDeleteEnabled": "False", + "SCLJunkEnabled": "False", + "SCLQuarantineEnabled": "False", + "SCLRejectEnabled": "False", + "UseDatabaseQuotaDefaults": "False" }, - "AppId": "", "RecordType": "1", - "ObjectId": "testsiem.onmicrosoft.com\\ExchangeAssistance", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-07T20:48:06", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-07T20:48:06.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "event": { - "ingested": "2022-01-02T03:49:51.470312163Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:06\",\"ExternalAccess\":true,\"Id\":\"627aa8ff-1411-475d-d202-08d7ac0f08a5\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\ExchangeAssistance\",\"Operation\":\"New-ExchangeAssistanceConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Organization\",\"Value\":\"testsiem.onmicrosoft.com\"},{\"Name\":\"IgnoreDehydratedFlag\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", - "action": "New-ExchangeAssistanceConfig", - "id": "627aa8ff-1411-475d-d202-08d7ac0f08a5", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" } }, { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", - "ip": "67.43.156.13" - }, + "@timestamp": "2020-02-07T20:48:42.000Z", "destination": { "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], - "o365": { - "audit": { - "Parameters": { + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Set-Mailbox", + "category": [ + "web" + ], + "code": "ExchangeAdmin", + "id": "27fdc2ec-edbd-445c-92bd-08d7ac0f1dc6", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:42\",\"ExternalAccess\":true,\"Id\":\"27fdc2ec-edbd-445c-92bd-08d7ac0f1dc6\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"UMGrammar\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"MaxSendSize\",\"Value\":\"1 GB (1,073,741,824 bytes)\"},{\"Name\":\"MailRouting\",\"Value\":\"True\"},{\"Name\":\"MessageTracking\",\"Value\":\"True\"},{\"Name\":\"OMEncryption\",\"Value\":\"True\"},{\"Name\":\"OABGen\",\"Value\":\"True\"},{\"Name\":\"ClientExtensions\",\"Value\":\"True\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}\"},{\"Name\":\"GMGen\",\"Value\":\"True\"},{\"Name\":\"SuiteServiceStorage\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, + "o365": { + "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-07T20:48:42", + "ExternalAccess": true, + "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}", + "Parameters": { "Arbitration": "True", - "IssueWarningQuota": "9 GB (9,663,676,416 bytes)", + "ClientExtensions": "True", "Force": "True", - "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", - "ProhibitSendReceiveQuota": "10 GB (10,737,418,240 bytes)", - "SCLQuarantineEnabled": "False", - "Migration": "True", - "HiddenFromAddressListsEnabled": "True", - "UseDatabaseQuotaDefaults": "False", - "Management": "True", - "ProhibitSendQuota": "10 GB (10,737,418,240 bytes)", - "RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", - "SCLDeleteEnabled": "False", - "SCLRejectEnabled": "False", - "SCLJunkEnabled": "False", - "DisplayName": "Microsoft Exchange Migration", - "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136" + "GMGen": "True", + "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}", + "MailRouting": "True", + "MaxSendSize": "1 GB (1,073,741,824 bytes)", + "MessageTracking": "True", + "OABGen": "True", + "OMEncryption": "True", + "SuiteServiceStorage": "True", + "UMGrammar": "True" }, - "AppId": "", "RecordType": "1", - "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "UserType": "3", + "Version": "1" + } + }, + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, + "related": { + "ip": [ + "67.43.156.13" + ] + }, + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + } + }, + { + "@timestamp": "2020-02-07T20:49:55.000Z", + "destination": { + "ip": "67.43.156.13" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Set-AdminAuditLogConfig", + "category": [ + "web" + ], + "code": "ExchangeAdmin", + "id": "0caecd44-0161-44e5-0e45-08d7ac0f49d6", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:55\",\"ExternalAccess\":true,\"Id\":\"0caecd44-0161-44e5-0e45-08d7ac0f49d6\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Admin Audit Log Settings\",\"Operation\":\"Set-AdminAuditLogConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"IgnoreDehydratedFlag\",\"Value\":\"True\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"},{\"Name\":\"AdminAuditLogEnabled\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, + "o365": { + "audit": { + "AppId": "", "ClientAppId": "", + "CreationTime": "2020-02-07T20:49:55", "ExternalAccess": true, - "CreationTime": "2020-02-10T07:37:12", - "UserType": "3" + "ObjectId": "testsiem.onmicrosoft.com\\Admin Audit Log Settings", + "Parameters": { + "AdminAuditLogEnabled": "True", + "DomainController": "", + "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com", + "IgnoreDehydratedFlag": "True" + }, + "RecordType": "1", + "ResultStatus": "True", + "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-10T07:37:12.000Z", + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, + "related": { + "ip": [ + "67.43.156.13" + ] + }, + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + } + }, + { + "@timestamp": "2020-02-07T20:49:52.000Z", + "destination": { + "ip": "67.43.156.13" + }, "ecs": { "version": "8.0.0" }, + "event": { + "action": "Set-TransportConfig", + "category": [ + "web" + ], + "code": "ExchangeAdmin", + "id": "fd804781-7d7f-4d3a-1ef0-08d7ac0f47e4", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:52\",\"ExternalAccess\":true,\"Id\":\"fd804781-7d7f-4d3a-1ef0-08d7ac0f47e4\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Transport Settings\",\"Operation\":\"Set-TransportConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"testsiem.onmicrosoft.com\"},{\"Name\":\"HygieneSuite\",\"Value\":\"Premium\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, + "o365": { + "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-07T20:49:52", + "ExternalAccess": true, + "ObjectId": "testsiem.onmicrosoft.com\\Transport Settings", + "Parameters": { + "DomainController": "", + "HygieneSuite": "Premium", + "Identity": "testsiem.onmicrosoft.com" + }, + "RecordType": "1", + "ResultStatus": "True", + "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "UserType": "3", + "Version": "1" + } + }, + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "tags": [ + "preserve_original_event" + ], + "user": { + "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + } + }, + { + "@timestamp": "2020-02-07T20:48:52.000Z", + "destination": { + "ip": "67.43.156.13" + }, + "ecs": { + "version": "8.0.0" }, "event": { - "ingested": "2022-01-02T03:49:51.470313166Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:12\",\"ExternalAccess\":true,\"Id\":\"425128e3-4281-42f6-4ec7-08d7adfc0acd\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"Management\",\"Value\":\"True\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"DisplayName\",\"Value\":\"Microsoft Exchange Migration\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"9 GB (9,663,676,416 bytes)\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"Migration\",\"Value\":\"True\"},{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "action": "Set-TransportConfig", + "category": [ + "web" + ], "code": "ExchangeAdmin", + "id": "8a3c4f54-f2de-4717-dd56-08d7ac0f23be", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:52\",\"ExternalAccess\":true,\"Id\":\"8a3c4f54-f2de-4717-dd56-08d7ac0f23be\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Transport Settings\",\"Operation\":\"Set-TransportConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"testsiem.onmicrosoft.com\"},{\"Name\":\"OrganizationFederatedMailbox\",\"Value\":\"FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042@testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, + "o365": { + "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-07T20:48:52", + "ExternalAccess": true, + "ObjectId": "testsiem.onmicrosoft.com\\Transport Settings", + "Parameters": { + "DomainController": "", + "Identity": "testsiem.onmicrosoft.com", + "OrganizationFederatedMailbox": "FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042@testsiem.onmicrosoft.com" + }, + "RecordType": "1", + "ResultStatus": "True", + "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "UserType": "3", + "Version": "1" + } + }, + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, + "related": { + "ip": [ + "67.43.156.13" + ] + }, + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + } + }, + { + "@timestamp": "2020-02-07T20:48:06.000Z", + "destination": { + "ip": "67.43.156.13" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "New-ExchangeAssistanceConfig", + "category": [ + "web" + ], + "code": "ExchangeAdmin", + "id": "627aa8ff-1411-475d-d202-08d7ac0f08a5", "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:06\",\"ExternalAccess\":true,\"Id\":\"627aa8ff-1411-475d-d202-08d7ac0f08a5\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\ExchangeAssistance\",\"Operation\":\"New-ExchangeAssistanceConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Organization\",\"Value\":\"testsiem.onmicrosoft.com\"},{\"Name\":\"IgnoreDehydratedFlag\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, + "o365": { + "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-07T20:48:06", + "ExternalAccess": true, + "ObjectId": "testsiem.onmicrosoft.com\\ExchangeAssistance", + "Parameters": { + "DomainController": "", + "IgnoreDehydratedFlag": "True", + "Organization": "testsiem.onmicrosoft.com" + }, + "RecordType": "1", + "ResultStatus": "True", + "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "UserType": "3", + "Version": "1" + } + }, + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, + "related": { + "ip": [ + "67.43.156.13" + ] + }, + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + } + }, + { + "@timestamp": "2020-02-10T07:37:12.000Z", + "destination": { + "ip": "67.43.156.13" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { "action": "Set-Mailbox", + "category": [ + "web" + ], + "code": "ExchangeAdmin", "id": "425128e3-4281-42f6-4ec7-08d7adfc0acd", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:12\",\"ExternalAccess\":true,\"Id\":\"425128e3-4281-42f6-4ec7-08d7adfc0acd\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"Management\",\"Value\":\"True\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"DisplayName\",\"Value\":\"Microsoft Exchange Migration\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"9 GB (9,663,676,416 bytes)\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"Migration\",\"Value\":\"True\"},{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", "type": [ "info" - ], + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, + "o365": { + "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-10T07:37:12", + "ExternalAccess": true, + "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136", + "Parameters": { + "Arbitration": "True", + "DisplayName": "Microsoft Exchange Migration", + "Force": "True", + "HiddenFromAddressListsEnabled": "True", + "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136", + "IssueWarningQuota": "9 GB (9,663,676,416 bytes)", + "Management": "True", + "Migration": "True", + "ProhibitSendQuota": "10 GB (10,737,418,240 bytes)", + "ProhibitSendReceiveQuota": "10 GB (10,737,418,240 bytes)", + "RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", + "SCLDeleteEnabled": "False", + "SCLJunkEnabled": "False", + "SCLQuarantineEnabled": "False", + "SCLRejectEnabled": "False", + "UseDatabaseQuotaDefaults": "False" + }, + "RecordType": "1", + "ResultStatus": "True", + "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "UserType": "3", + "Version": "1" + } + }, + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, + "related": { + "ip": [ + "67.43.156.13" + ] + }, + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + } + }, + { + "@timestamp": "2020-02-10T07:37:18.000Z", + "destination": { + "ip": "67.43.156.13" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Set-Mailbox", "category": [ "web" ], - "outcome": "success" + "code": "ExchangeAdmin", + "id": "a4912729-9b49-43b3-d21f-08d7adfc0e8e", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:18\",\"ExternalAccess\":true,\"Id\":\"a4912729-9b49-43b3-d21f-08d7adfc0e8e\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/TenantAllowBlocLists_F0767F09-6B4C-4F78-9234-2C0481176063\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"TenantAllowBlockLists\",\"Value\":\"True\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/TenantAllowBlocLists_F0767F09-6B4C-4F78-9234-2C0481176063\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, + "o365": { + "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-10T07:37:18", + "ExternalAccess": true, + "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/TenantAllowBlocLists_F0767F09-6B4C-4F78-9234-2C0481176063", + "Parameters": { + "Arbitration": "True", + "Force": "True", + "HiddenFromAddressListsEnabled": "True", + "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/TenantAllowBlocLists_F0767F09-6B4C-4F78-9234-2C0481176063", + "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", + "ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", + "SCLDeleteEnabled": "False", + "SCLJunkEnabled": "False", + "SCLQuarantineEnabled": "False", + "SCLRejectEnabled": "False", + "TenantAllowBlockLists": "True", + "UseDatabaseQuotaDefaults": "False" + }, + "RecordType": "1", + "ResultStatus": "True", + "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "UserType": "3", + "Version": "1" + } + }, + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, + "related": { + "ip": [ + "67.43.156.13" + ] + }, + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" } }, { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", - "ip": "67.43.156.13" - }, + "@timestamp": "2020-02-07T20:49:21.000Z", "destination": { "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Set-Mailbox", + "category": [ + "web" + ], + "code": "ExchangeAdmin", + "id": "a61cdc9a-89ef-402b-102c-08d7ac0f3592", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:21\",\"ExternalAccess\":true,\"Id\":\"a61cdc9a-89ef-402b-102c-08d7ac0f3592\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-07T20:49:21", + "ExternalAccess": true, + "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}", "Parameters": { "Arbitration": "True", - "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "Force": "True", - "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", - "SCLQuarantineEnabled": "False", - "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", "HiddenFromAddressListsEnabled": "True", - "UseDatabaseQuotaDefaults": "False", + "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}", + "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "QuarantineMessageStore": "True", "RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", "SCLDeleteEnabled": "False", - "SCLRejectEnabled": "False", - "TenantAllowBlockLists": "True", "SCLJunkEnabled": "False", - "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/TenantAllowBlocLists_F0767F09-6B4C-4F78-9234-2C0481176063" + "SCLQuarantineEnabled": "False", + "SCLRejectEnabled": "False", + "UseDatabaseQuotaDefaults": "False" }, - "AppId": "", "RecordType": "1", - "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/TenantAllowBlocLists_F0767F09-6B4C-4F78-9234-2C0481176063", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-10T07:37:18", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-10T07:37:18.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "event": { - "ingested": "2022-01-02T03:49:51.470314077Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:18\",\"ExternalAccess\":true,\"Id\":\"a4912729-9b49-43b3-d21f-08d7adfc0e8e\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/TenantAllowBlocLists_F0767F09-6B4C-4F78-9234-2C0481176063\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"TenantAllowBlockLists\",\"Value\":\"True\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/TenantAllowBlocLists_F0767F09-6B4C-4F78-9234-2C0481176063\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", - "action": "Set-Mailbox", - "id": "a4912729-9b49-43b3-d21f-08d7adfc0e8e", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" } }, { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", - "ip": "67.43.156.13" - }, + "@timestamp": "2020-02-10T07:37:15.000Z", "destination": { "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Set-Mailbox", + "category": [ + "web" + ], + "code": "ExchangeAdmin", + "id": "8126fd52-b16b-45c5-6aff-08d7adfc0c97", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:15\",\"ExternalAccess\":true,\"Id\":\"8126fd52-b16b-45c5-6aff-08d7adfc0c97\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-10T07:37:15", + "ExternalAccess": true, + "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}", "Parameters": { "Arbitration": "True", - "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "Force": "True", - "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", - "SCLQuarantineEnabled": "False", - "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", "HiddenFromAddressListsEnabled": "True", - "UseDatabaseQuotaDefaults": "False", + "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}", + "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "QuarantineMessageStore": "True", "RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", "SCLDeleteEnabled": "False", - "QuarantineMessageStore": "True", - "SCLRejectEnabled": "False", "SCLJunkEnabled": "False", - "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}" + "SCLQuarantineEnabled": "False", + "SCLRejectEnabled": "False", + "UseDatabaseQuotaDefaults": "False" }, - "AppId": "", "RecordType": "1", - "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-07T20:49:21", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-07T20:49:21.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "event": { - "ingested": "2022-01-02T03:49:51.470314934Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:21\",\"ExternalAccess\":true,\"Id\":\"a61cdc9a-89ef-402b-102c-08d7ac0f3592\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", - "action": "Set-Mailbox", - "id": "a61cdc9a-89ef-402b-102c-08d7ac0f3592", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" } }, { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", - "ip": "67.43.156.13" - }, + "@timestamp": "2020-02-10T07:37:14.000Z", "destination": { "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Set-Mailbox", + "category": [ + "web" + ], + "code": "ExchangeAdmin", + "id": "70f24b65-0224-473b-49b8-08d7adfc0c83", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:14\",\"ExternalAccess\":true,\"Id\":\"70f24b65-0224-473b-49b8-08d7adfc0c83\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-10T07:37:14", + "ExternalAccess": true, + "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}", "Parameters": { "Arbitration": "True", - "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "Force": "True", - "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", - "SCLQuarantineEnabled": "False", - "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", "HiddenFromAddressListsEnabled": "True", - "UseDatabaseQuotaDefaults": "False", + "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}", + "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "QuarantineMessageStore": "True", "RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", "SCLDeleteEnabled": "False", - "QuarantineMessageStore": "True", - "SCLRejectEnabled": "False", "SCLJunkEnabled": "False", - "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}" + "SCLQuarantineEnabled": "False", + "SCLRejectEnabled": "False", + "UseDatabaseQuotaDefaults": "False" }, - "AppId": "", "RecordType": "1", - "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-10T07:37:15", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-10T07:37:15.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "event": { - "ingested": "2022-01-02T03:49:51.470315819Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:15\",\"ExternalAccess\":true,\"Id\":\"8126fd52-b16b-45c5-6aff-08d7adfc0c97\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", - "action": "Set-Mailbox", - "id": "8126fd52-b16b-45c5-6aff-08d7adfc0c97", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" } }, { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", + "@timestamp": "2020-02-10T07:37:17.000Z", + "destination": { "ip": "67.43.156.13" }, - "destination": { - "ip": "67.43.156.13" + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Set-Mailbox", + "category": [ + "web" + ], + "code": "ExchangeAdmin", + "id": "515c88f2-2cbf-4214-2d9b-08d7adfc0e0f", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:17\",\"ExternalAccess\":true,\"Id\":\"515c88f2-2cbf-4214-2d9b-08d7adfc0e0f\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, - "tags": [ - "preserve_original_event" - ], "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-10T07:37:17", + "ExternalAccess": true, + "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}", "Parameters": { "Arbitration": "True", - "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "Force": "True", - "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", - "SCLQuarantineEnabled": "False", - "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", "HiddenFromAddressListsEnabled": "True", - "UseDatabaseQuotaDefaults": "False", + "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}", + "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "QuarantineMessageStore": "True", "RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", "SCLDeleteEnabled": "False", - "QuarantineMessageStore": "True", - "SCLRejectEnabled": "False", "SCLJunkEnabled": "False", - "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}" + "SCLQuarantineEnabled": "False", + "SCLRejectEnabled": "False", + "UseDatabaseQuotaDefaults": "False" }, - "AppId": "", "RecordType": "1", - "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-10T07:37:14", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-10T07:37:14.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "event": { - "ingested": "2022-01-02T03:49:51.470316675Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:14\",\"ExternalAccess\":true,\"Id\":\"70f24b65-0224-473b-49b8-08d7adfc0c83\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", - "action": "Set-Mailbox", - "id": "70f24b65-0224-473b-49b8-08d7adfc0c83", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" } }, { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", - "ip": "67.43.156.13" - }, + "@timestamp": "2020-02-07T20:48:57.000Z", "destination": { "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Set-Mailbox", + "category": [ + "web" + ], + "code": "ExchangeAdmin", + "id": "02c7f756-40e0-4c47-d49d-08d7ac0f26bd", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:57\",\"ExternalAccess\":true,\"Id\":\"02c7f756-40e0-4c47-d49d-08d7ac0f26bd\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-07T20:48:57", + "ExternalAccess": true, + "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}", "Parameters": { "Arbitration": "True", - "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "Force": "True", - "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", - "SCLQuarantineEnabled": "False", - "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", "HiddenFromAddressListsEnabled": "True", - "UseDatabaseQuotaDefaults": "False", + "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}", + "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "QuarantineMessageStore": "True", "RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", "SCLDeleteEnabled": "False", - "QuarantineMessageStore": "True", - "SCLRejectEnabled": "False", "SCLJunkEnabled": "False", - "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}" + "SCLQuarantineEnabled": "False", + "SCLRejectEnabled": "False", + "UseDatabaseQuotaDefaults": "False" }, - "AppId": "", "RecordType": "1", - "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-10T07:37:17", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-10T07:37:17.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "event": { - "ingested": "2022-01-02T03:49:51.470317630Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:17\",\"ExternalAccess\":true,\"Id\":\"515c88f2-2cbf-4214-2d9b-08d7adfc0e0f\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", - "action": "Set-Mailbox", - "id": "515c88f2-2cbf-4214-2d9b-08d7adfc0e0f", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" } }, { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", - "ip": "67.43.156.13" - }, + "@timestamp": "2020-02-07T20:49:02.000Z", "destination": { "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Set-Mailbox", + "category": [ + "web" + ], + "code": "ExchangeAdmin", + "id": "40786a66-fbd5-4a24-d9af-08d7ac0f2a42", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:02\",\"ExternalAccess\":true,\"Id\":\"40786a66-fbd5-4a24-d9af-08d7ac0f2a42\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-07T20:49:02", + "ExternalAccess": true, + "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}", "Parameters": { "Arbitration": "True", - "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "Force": "True", - "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", - "SCLQuarantineEnabled": "False", - "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", "HiddenFromAddressListsEnabled": "True", - "UseDatabaseQuotaDefaults": "False", + "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}", + "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "QuarantineMessageStore": "True", "RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", "SCLDeleteEnabled": "False", - "QuarantineMessageStore": "True", - "SCLRejectEnabled": "False", "SCLJunkEnabled": "False", - "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}" + "SCLQuarantineEnabled": "False", + "SCLRejectEnabled": "False", + "UseDatabaseQuotaDefaults": "False" }, - "AppId": "", "RecordType": "1", - "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-07T20:48:57", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-07T20:48:57.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "event": { - "ingested": "2022-01-02T03:49:51.470318740Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:57\",\"ExternalAccess\":true,\"Id\":\"02c7f756-40e0-4c47-d49d-08d7ac0f26bd\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", - "action": "Set-Mailbox", - "id": "02c7f756-40e0-4c47-d49d-08d7ac0f26bd", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, - "user": { - "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" - } - }, - { "server": { "address": "67.43.156.13", "domain": "HE1PR0102MB3228", "ip": "67.43.156.13" }, - "destination": { - "ip": "67.43.156.13" - }, "tags": [ "preserve_original_event" ], - "o365": { - "audit": { - "Parameters": { - "Arbitration": "True", - "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", - "Force": "True", - "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", - "SCLQuarantineEnabled": "False", - "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", - "HiddenFromAddressListsEnabled": "True", - "UseDatabaseQuotaDefaults": "False", - "ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", - "RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", - "SCLDeleteEnabled": "False", - "QuarantineMessageStore": "True", - "SCLRejectEnabled": "False", - "SCLJunkEnabled": "False", - "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}" - }, - "AppId": "", - "RecordType": "1", - "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}", - "ResultStatus": "True", - "Version": "1", - "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-07T20:49:02", - "UserType": "3" - } + "user": { + "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + } + }, + { + "@timestamp": "2020-02-10T07:37:15.000Z", + "destination": { + "ip": "67.43.156.13" }, - "@timestamp": "2020-02-07T20:49:02.000Z", "ecs": { "version": "8.0.0" }, - "related": { - "ip": [ - "67.43.156.13" - ] - }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, "event": { - "ingested": "2022-01-02T03:49:51.470319604Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:02\",\"ExternalAccess\":true,\"Id\":\"40786a66-fbd5-4a24-d9af-08d7ac0f2a42\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", "action": "Set-Mailbox", - "id": "40786a66-fbd5-4a24-d9af-08d7ac0f2a42", - "type": [ - "info" - ], "category": [ "web" ], - "outcome": "success" - }, - "user": { - "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" - } - }, - { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", - "ip": "67.43.156.13" + "code": "ExchangeAdmin", + "id": "ebda487f-6177-432a-e91d-08d7adfc0d0d", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:15\",\"ExternalAccess\":true,\"Id\":\"ebda487f-6177-432a-e91d-08d7adfc0d0d\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] }, - "destination": { - "ip": "67.43.156.13" + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, - "tags": [ - "preserve_original_event" - ], "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-10T07:37:15", + "ExternalAccess": true, + "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}", "Parameters": { "Arbitration": "True", - "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "Force": "True", - "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", - "SCLQuarantineEnabled": "False", - "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", "HiddenFromAddressListsEnabled": "True", - "UseDatabaseQuotaDefaults": "False", + "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}", + "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "QuarantineMessageStore": "True", "RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", "SCLDeleteEnabled": "False", - "QuarantineMessageStore": "True", - "SCLRejectEnabled": "False", "SCLJunkEnabled": "False", - "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}" + "SCLQuarantineEnabled": "False", + "SCLRejectEnabled": "False", + "UseDatabaseQuotaDefaults": "False" }, - "AppId": "", "RecordType": "1", - "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-10T07:37:15", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-10T07:37:15.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "event": { - "ingested": "2022-01-02T03:49:51.470320664Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:15\",\"ExternalAccess\":true,\"Id\":\"ebda487f-6177-432a-e91d-08d7adfc0d0d\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", - "action": "Set-Mailbox", - "id": "ebda487f-6177-432a-e91d-08d7adfc0d0d", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" } }, { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", - "ip": "67.43.156.13" - }, + "@timestamp": "2020-02-07T20:48:51.000Z", "destination": { "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Set-Mailbox", + "category": [ + "web" + ], + "code": "ExchangeAdmin", + "id": "93d5f028-263c-45f1-dcf9-08d7ac0f2378", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:51\",\"ExternalAccess\":true,\"Id\":\"93d5f028-263c-45f1-dcf9-08d7ac0f2378\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"DisplayName\",\"Value\":\"Microsoft Exchange\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"9 GB (9,663,676,416 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-07T20:48:51", + "ExternalAccess": true, + "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042", "Parameters": { "Arbitration": "True", - "IssueWarningQuota": "9 GB (9,663,676,416 bytes)", + "DisplayName": "Microsoft Exchange", "Force": "True", - "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", - "SCLQuarantineEnabled": "False", - "ProhibitSendReceiveQuota": "10 GB (10,737,418,240 bytes)", "HiddenFromAddressListsEnabled": "True", - "UseDatabaseQuotaDefaults": "False", + "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042", + "IssueWarningQuota": "9 GB (9,663,676,416 bytes)", "ProhibitSendQuota": "10 GB (10,737,418,240 bytes)", + "ProhibitSendReceiveQuota": "10 GB (10,737,418,240 bytes)", "RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", "SCLDeleteEnabled": "False", - "SCLRejectEnabled": "False", "SCLJunkEnabled": "False", - "DisplayName": "Microsoft Exchange", - "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042" + "SCLQuarantineEnabled": "False", + "SCLRejectEnabled": "False", + "UseDatabaseQuotaDefaults": "False" }, - "AppId": "", "RecordType": "1", - "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-07T20:48:51", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-07T20:48:51.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "event": { - "ingested": "2022-01-02T03:49:51.470321620Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:51\",\"ExternalAccess\":true,\"Id\":\"93d5f028-263c-45f1-dcf9-08d7ac0f2378\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"DisplayName\",\"Value\":\"Microsoft Exchange\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"9 GB (9,663,676,416 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", - "action": "Set-Mailbox", - "id": "93d5f028-263c-45f1-dcf9-08d7ac0f2378", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" } }, { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", - "ip": "67.43.156.13" - }, + "@timestamp": "2020-02-10T07:37:17.000Z", "destination": { "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Set-Mailbox", + "category": [ + "web" + ], + "code": "ExchangeAdmin", + "id": "1eea5379-4c86-4d6f-00cf-08d7adfc0e23", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:17\",\"ExternalAccess\":true,\"Id\":\"1eea5379-4c86-4d6f-00cf-08d7adfc0e23\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-10T07:37:17", + "ExternalAccess": true, + "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}", "Parameters": { "Arbitration": "True", - "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "Force": "True", - "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", - "SCLQuarantineEnabled": "False", - "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", "HiddenFromAddressListsEnabled": "True", - "UseDatabaseQuotaDefaults": "False", + "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}", + "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "QuarantineMessageStore": "True", "RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", "SCLDeleteEnabled": "False", - "QuarantineMessageStore": "True", - "SCLRejectEnabled": "False", "SCLJunkEnabled": "False", - "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}" + "SCLQuarantineEnabled": "False", + "SCLRejectEnabled": "False", + "UseDatabaseQuotaDefaults": "False" }, - "AppId": "", "RecordType": "1", - "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-10T07:37:17", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-10T07:37:17.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "event": { - "ingested": "2022-01-02T03:49:51.470322482Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:17\",\"ExternalAccess\":true,\"Id\":\"1eea5379-4c86-4d6f-00cf-08d7adfc0e23\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", - "action": "Set-Mailbox", - "id": "1eea5379-4c86-4d6f-00cf-08d7adfc0e23", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" } }, { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", + "@timestamp": "2020-02-10T07:37:17.000Z", + "destination": { "ip": "67.43.156.13" }, - "destination": { - "ip": "67.43.156.13" + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Set-Mailbox", + "category": [ + "web" + ], + "code": "ExchangeAdmin", + "id": "2202ec45-7abc-49dd-e35e-08d7adfc0e15", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:17\",\"ExternalAccess\":true,\"Id\":\"2202ec45-7abc-49dd-e35e-08d7adfc0e15\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, - "tags": [ - "preserve_original_event" - ], "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-10T07:37:17", + "ExternalAccess": true, + "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}", "Parameters": { "Arbitration": "True", - "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "Force": "True", - "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", - "SCLQuarantineEnabled": "False", - "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", "HiddenFromAddressListsEnabled": "True", - "UseDatabaseQuotaDefaults": "False", + "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}", + "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "QuarantineMessageStore": "True", "RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", "SCLDeleteEnabled": "False", - "QuarantineMessageStore": "True", - "SCLRejectEnabled": "False", "SCLJunkEnabled": "False", - "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}" + "SCLQuarantineEnabled": "False", + "SCLRejectEnabled": "False", + "UseDatabaseQuotaDefaults": "False" }, - "AppId": "", "RecordType": "1", - "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-10T07:37:17", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-10T07:37:17.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "event": { - "ingested": "2022-01-02T03:49:51.470323437Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:17\",\"ExternalAccess\":true,\"Id\":\"2202ec45-7abc-49dd-e35e-08d7adfc0e15\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", - "action": "Set-Mailbox", - "id": "2202ec45-7abc-49dd-e35e-08d7adfc0e15", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" } }, { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", - "ip": "67.43.156.13" - }, + "@timestamp": "2020-02-10T07:37:23.000Z", "destination": { "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Set-RecipientEnforcementProvisioningPolicy", + "category": [ + "web" + ], + "code": "ExchangeAdmin", + "id": "80d8b808-c24c-4359-24cf-08d7adfc11e3", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:23\",\"ExternalAccess\":true,\"Id\":\"80d8b808-c24c-4359-24cf-08d7adfc11e3\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Recipient Quota Policy\",\"Operation\":\"Set-RecipientEnforcementProvisioningPolicy\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"IgnoreDehydratedFlag\",\"Value\":\"True\"},{\"Name\":\"Identity\",\"Value\":\"testsiem.onmicrosoft.com\\\\Recipient Quota Policy\"},{\"Name\":\"PublicFolderHierarchyMailboxCountQuota\",\"Value\":\"100\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-10T07:37:23", + "ExternalAccess": true, + "ObjectId": "testsiem.onmicrosoft.com\\Recipient Quota Policy", "Parameters": { "DomainController": "", + "Identity": "testsiem.onmicrosoft.com\\Recipient Quota Policy", "IgnoreDehydratedFlag": "True", - "PublicFolderHierarchyMailboxCountQuota": "100", - "Identity": "testsiem.onmicrosoft.com\\Recipient Quota Policy" + "PublicFolderHierarchyMailboxCountQuota": "100" }, - "AppId": "", "RecordType": "1", - "ObjectId": "testsiem.onmicrosoft.com\\Recipient Quota Policy", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-10T07:37:23", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-10T07:37:23.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "event": { - "ingested": "2022-01-02T03:49:51.470324388Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:23\",\"ExternalAccess\":true,\"Id\":\"80d8b808-c24c-4359-24cf-08d7adfc11e3\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Recipient Quota Policy\",\"Operation\":\"Set-RecipientEnforcementProvisioningPolicy\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"IgnoreDehydratedFlag\",\"Value\":\"True\"},{\"Name\":\"Identity\",\"Value\":\"testsiem.onmicrosoft.com\\\\Recipient Quota Policy\"},{\"Name\":\"PublicFolderHierarchyMailboxCountQuota\",\"Value\":\"100\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", - "action": "Set-RecipientEnforcementProvisioningPolicy", - "id": "80d8b808-c24c-4359-24cf-08d7adfc11e3", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" } }, { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", - "ip": "67.43.156.13" - }, + "@timestamp": "2020-02-10T07:37:24.000Z", "destination": { "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Set-AdminAuditLogConfig", + "category": [ + "web" + ], + "code": "ExchangeAdmin", + "id": "9edbf9fe-f844-401f-e9ec-08d7adfc1242", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:24\",\"ExternalAccess\":true,\"Id\":\"9edbf9fe-f844-401f-e9ec-08d7adfc1242\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Admin Audit Log Settings\",\"Operation\":\"Set-AdminAuditLogConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"IgnoreDehydratedFlag\",\"Value\":\"True\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"},{\"Name\":\"AdminAuditLogEnabled\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-10T07:37:24", + "ExternalAccess": true, + "ObjectId": "testsiem.onmicrosoft.com\\Admin Audit Log Settings", "Parameters": { + "AdminAuditLogEnabled": "True", "DomainController": "", - "IgnoreDehydratedFlag": "True", "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com", - "AdminAuditLogEnabled": "True" + "IgnoreDehydratedFlag": "True" }, - "AppId": "", "RecordType": "1", - "ObjectId": "testsiem.onmicrosoft.com\\Admin Audit Log Settings", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-10T07:37:24", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-10T07:37:24.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "tags": [ + "preserve_original_event" + ], + "user": { + "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + } + }, + { + "@timestamp": "2020-02-10T07:37:15.000Z", + "destination": { + "ip": "67.43.156.13" + }, + "ecs": { + "version": "8.0.0" }, "event": { - "ingested": "2022-01-02T03:49:51.470325254Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:24\",\"ExternalAccess\":true,\"Id\":\"9edbf9fe-f844-401f-e9ec-08d7adfc1242\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Admin Audit Log Settings\",\"Operation\":\"Set-AdminAuditLogConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"IgnoreDehydratedFlag\",\"Value\":\"True\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"},{\"Name\":\"AdminAuditLogEnabled\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "action": "Set-Mailbox", + "category": [ + "web" + ], "code": "ExchangeAdmin", - "provider": "Exchange", + "id": "7b5e608f-0a09-4251-8922-08d7adfc0d15", "kind": "event", - "action": "Set-AdminAuditLogConfig", - "id": "9edbf9fe-f844-401f-e9ec-08d7adfc1242", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:15\",\"ExternalAccess\":true,\"Id\":\"7b5e608f-0a09-4251-8922-08d7adfc0d15\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", "type": [ "info" - ], - "category": [ - "web" - ], - "outcome": "success" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, + "o365": { + "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-10T07:37:15", + "ExternalAccess": true, + "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}", + "Parameters": { + "Arbitration": "True", + "Force": "True", + "HiddenFromAddressListsEnabled": "True", + "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}", + "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", + "ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "QuarantineMessageStore": "True", + "RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", + "SCLDeleteEnabled": "False", + "SCLJunkEnabled": "False", + "SCLQuarantineEnabled": "False", + "SCLRejectEnabled": "False", + "UseDatabaseQuotaDefaults": "False" + }, + "RecordType": "1", + "ResultStatus": "True", + "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "UserType": "3", + "Version": "1" + } + }, + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, + "related": { + "ip": [ + "67.43.156.13" + ] + }, + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" } }, { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", - "ip": "67.43.156.13" - }, + "@timestamp": "2020-02-10T07:37:17.000Z", "destination": { "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Set-Mailbox", + "category": [ + "web" + ], + "code": "ExchangeAdmin", + "id": "2cbbd2bb-607e-49b1-c02c-08d7adfc0e1c", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:17\",\"ExternalAccess\":true,\"Id\":\"2cbbd2bb-607e-49b1-c02c-08d7adfc0e1c\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-10T07:37:17", + "ExternalAccess": true, + "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}", "Parameters": { "Arbitration": "True", - "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "Force": "True", - "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", - "SCLQuarantineEnabled": "False", - "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", "HiddenFromAddressListsEnabled": "True", - "UseDatabaseQuotaDefaults": "False", + "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}", + "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "QuarantineMessageStore": "True", "RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", "SCLDeleteEnabled": "False", - "QuarantineMessageStore": "True", - "SCLRejectEnabled": "False", "SCLJunkEnabled": "False", - "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}" + "SCLQuarantineEnabled": "False", + "SCLRejectEnabled": "False", + "UseDatabaseQuotaDefaults": "False" }, - "AppId": "", "RecordType": "1", - "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-10T07:37:15", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-10T07:37:15.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "event": { - "ingested": "2022-01-02T03:49:51.470326162Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:15\",\"ExternalAccess\":true,\"Id\":\"7b5e608f-0a09-4251-8922-08d7adfc0d15\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", - "action": "Set-Mailbox", - "id": "7b5e608f-0a09-4251-8922-08d7adfc0d15", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" } }, { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", - "ip": "67.43.156.13" - }, + "@timestamp": "2020-02-10T07:37:24.000Z", "destination": { "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Set-AdminAuditLogConfig", + "category": [ + "web" + ], + "code": "ExchangeAdmin", + "id": "9edbf9fe-f844-401f-e9ec-08d7adfc1242", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:24\",\"ExternalAccess\":true,\"Id\":\"9edbf9fe-f844-401f-e9ec-08d7adfc1242\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Admin Audit Log Settings\",\"Operation\":\"Set-AdminAuditLogConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"IgnoreDehydratedFlag\",\"Value\":\"True\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"},{\"Name\":\"AdminAuditLogEnabled\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-10T07:37:24", + "ExternalAccess": true, + "ObjectId": "testsiem.onmicrosoft.com\\Admin Audit Log Settings", "Parameters": { - "Arbitration": "True", - "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", - "Force": "True", - "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", - "SCLQuarantineEnabled": "False", - "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", - "HiddenFromAddressListsEnabled": "True", - "UseDatabaseQuotaDefaults": "False", - "ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", - "RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", - "SCLDeleteEnabled": "False", - "QuarantineMessageStore": "True", - "SCLRejectEnabled": "False", - "SCLJunkEnabled": "False", - "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}" + "AdminAuditLogEnabled": "True", + "DomainController": "", + "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com", + "IgnoreDehydratedFlag": "True" }, - "AppId": "", "RecordType": "1", - "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-10T07:37:17", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-10T07:37:17.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "tags": [ + "preserve_original_event" + ], + "user": { + "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + } + }, + { + "@timestamp": "2020-02-07T20:49:34.000Z", + "destination": { + "ip": "67.43.156.13" + }, + "ecs": { + "version": "8.0.0" }, "event": { - "ingested": "2022-01-02T03:49:51.470327113Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:17\",\"ExternalAccess\":true,\"Id\":\"2cbbd2bb-607e-49b1-c02c-08d7adfc0e1c\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "action": "Set-OwaMailboxPolicy", + "category": [ + "web" + ], "code": "ExchangeAdmin", - "provider": "Exchange", + "id": "0d7995da-038f-40d9-2765-08d7ac0f3d4d", "kind": "event", - "action": "Set-Mailbox", - "id": "2cbbd2bb-607e-49b1-c02c-08d7adfc0e1c", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:34\",\"ExternalAccess\":true,\"Id\":\"0d7995da-038f-40d9-2765-08d7ac0f3d4d\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\OwaMailboxPolicy-Default\",\"Operation\":\"Set-OwaMailboxPolicy\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"InstantMessagingType\",\"Value\":\"Ocs\"},{\"Name\":\"Identity\",\"Value\":\"testsiem.onmicrosoft.com\\\\OwaMailboxPolicy-Default\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", "type": [ "info" - ], - "category": [ - "web" - ], - "outcome": "success" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, + "o365": { + "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-07T20:49:34", + "ExternalAccess": true, + "ObjectId": "testsiem.onmicrosoft.com\\OwaMailboxPolicy-Default", + "Parameters": { + "Identity": "testsiem.onmicrosoft.com\\OwaMailboxPolicy-Default", + "InstantMessagingType": "Ocs" + }, + "RecordType": "1", + "ResultStatus": "True", + "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", + "UserType": "3", + "Version": "1" + } + }, + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, + "related": { + "ip": [ + "67.43.156.13" + ] }, - "user": { - "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" - } - }, - { "server": { "address": "67.43.156.13", "domain": "HE1PR0102MB3228", "ip": "67.43.156.13" }, - "destination": { - "ip": "67.43.156.13" - }, "tags": [ "preserve_original_event" ], + "user": { + "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + } + }, + { + "@timestamp": "2020-02-10T07:37:12.000Z", + "destination": { + "ip": "67.43.156.13" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Set-Mailbox", + "category": [ + "web" + ], + "code": "ExchangeAdmin", + "id": "425128e3-4281-42f6-4ec7-08d7adfc0acd", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:12\",\"ExternalAccess\":true,\"Id\":\"425128e3-4281-42f6-4ec7-08d7adfc0acd\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"Management\",\"Value\":\"True\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"DisplayName\",\"Value\":\"Microsoft Exchange Migration\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"9 GB (9,663,676,416 bytes)\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"Migration\",\"Value\":\"True\"},{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-10T07:37:12", + "ExternalAccess": true, + "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136", "Parameters": { - "DomainController": "", - "IgnoreDehydratedFlag": "True", - "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com", - "AdminAuditLogEnabled": "True" + "Arbitration": "True", + "DisplayName": "Microsoft Exchange Migration", + "Force": "True", + "HiddenFromAddressListsEnabled": "True", + "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136", + "IssueWarningQuota": "9 GB (9,663,676,416 bytes)", + "Management": "True", + "Migration": "True", + "ProhibitSendQuota": "10 GB (10,737,418,240 bytes)", + "ProhibitSendReceiveQuota": "10 GB (10,737,418,240 bytes)", + "RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", + "SCLDeleteEnabled": "False", + "SCLJunkEnabled": "False", + "SCLQuarantineEnabled": "False", + "SCLRejectEnabled": "False", + "UseDatabaseQuotaDefaults": "False" }, - "AppId": "", "RecordType": "1", - "ObjectId": "testsiem.onmicrosoft.com\\Admin Audit Log Settings", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-10T07:37:24", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-10T07:37:24.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "event": { - "ingested": "2022-01-02T03:49:51.470327984Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:24\",\"ExternalAccess\":true,\"Id\":\"9edbf9fe-f844-401f-e9ec-08d7adfc1242\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Admin Audit Log Settings\",\"Operation\":\"Set-AdminAuditLogConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"IgnoreDehydratedFlag\",\"Value\":\"True\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"},{\"Name\":\"AdminAuditLogEnabled\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", - "action": "Set-AdminAuditLogConfig", - "id": "9edbf9fe-f844-401f-e9ec-08d7adfc1242", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, - "user": { - "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" - } - }, - { "server": { "address": "67.43.156.13", "domain": "HE1PR0102MB3228", "ip": "67.43.156.13" }, - "destination": { - "ip": "67.43.156.13" - }, "tags": [ "preserve_original_event" ], - "o365": { - "audit": { - "Parameters": { - "Identity": "testsiem.onmicrosoft.com\\OwaMailboxPolicy-Default", - "InstantMessagingType": "Ocs" - }, - "AppId": "", - "RecordType": "1", - "ObjectId": "testsiem.onmicrosoft.com\\OwaMailboxPolicy-Default", - "ResultStatus": "True", - "Version": "1", - "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-07T20:49:34", - "UserType": "3" - } + "user": { + "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + } + }, + { + "@timestamp": "2020-02-10T07:37:14.000Z", + "destination": { + "ip": "67.43.156.13" }, - "@timestamp": "2020-02-07T20:49:34.000Z", "ecs": { "version": "8.0.0" }, - "related": { - "ip": [ - "67.43.156.13" - ] - }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, "event": { - "ingested": "2022-01-02T03:49:51.470328968Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:34\",\"ExternalAccess\":true,\"Id\":\"0d7995da-038f-40d9-2765-08d7ac0f3d4d\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\OwaMailboxPolicy-Default\",\"Operation\":\"Set-OwaMailboxPolicy\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"InstantMessagingType\",\"Value\":\"Ocs\"},{\"Name\":\"Identity\",\"Value\":\"testsiem.onmicrosoft.com\\\\OwaMailboxPolicy-Default\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "action": "Set-Mailbox", + "category": [ + "web" + ], "code": "ExchangeAdmin", - "provider": "Exchange", + "id": "6ddabbf8-4b7c-4982-2683-08d7adfc0c10", "kind": "event", - "action": "Set-OwaMailboxPolicy", - "id": "0d7995da-038f-40d9-2765-08d7ac0f3d4d", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:14\",\"ExternalAccess\":true,\"Id\":\"6ddabbf8-4b7c-4982-2683-08d7adfc0c10\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", "type": [ "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, - "user": { - "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" - } - }, - { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", - "ip": "67.43.156.13" + ] }, - "destination": { - "ip": "67.43.156.13" + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, - "tags": [ - "preserve_original_event" - ], "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-10T07:37:14", + "ExternalAccess": true, + "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}", "Parameters": { "Arbitration": "True", - "IssueWarningQuota": "9 GB (9,663,676,416 bytes)", "Force": "True", - "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", - "ProhibitSendReceiveQuota": "10 GB (10,737,418,240 bytes)", - "SCLQuarantineEnabled": "False", - "Migration": "True", "HiddenFromAddressListsEnabled": "True", - "UseDatabaseQuotaDefaults": "False", - "Management": "True", - "ProhibitSendQuota": "10 GB (10,737,418,240 bytes)", + "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}", + "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", + "ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "QuarantineMessageStore": "True", "RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", "SCLDeleteEnabled": "False", - "SCLRejectEnabled": "False", "SCLJunkEnabled": "False", - "DisplayName": "Microsoft Exchange Migration", - "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136" + "SCLQuarantineEnabled": "False", + "SCLRejectEnabled": "False", + "UseDatabaseQuotaDefaults": "False" }, - "AppId": "", "RecordType": "1", - "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-10T07:37:12", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-10T07:37:12.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "event": { - "ingested": "2022-01-02T03:49:51.470329849Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:12\",\"ExternalAccess\":true,\"Id\":\"425128e3-4281-42f6-4ec7-08d7adfc0acd\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"Management\",\"Value\":\"True\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"DisplayName\",\"Value\":\"Microsoft Exchange Migration\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"9 GB (9,663,676,416 bytes)\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"Migration\",\"Value\":\"True\"},{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", - "action": "Set-Mailbox", - "id": "425128e3-4281-42f6-4ec7-08d7adfc0acd", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" } }, { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", - "ip": "67.43.156.13" - }, + "@timestamp": "2020-02-10T07:37:13.000Z", "destination": { "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Set-Mailbox", + "category": [ + "web" + ], + "code": "ExchangeAdmin", + "id": "e6a88958-ff2a-4e9b-d681-08d7adfc0b73", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:13\",\"ExternalAccess\":true,\"Id\":\"e6a88958-ff2a-4e9b-d681-08d7adfc0b73\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"DisplayName\",\"Value\":\"Microsoft Exchange\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"9 GB (9,663,676,416 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-10T07:37:13", + "ExternalAccess": true, + "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042", "Parameters": { "Arbitration": "True", - "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", + "DisplayName": "Microsoft Exchange", "Force": "True", - "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", - "SCLQuarantineEnabled": "False", - "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", "HiddenFromAddressListsEnabled": "True", - "UseDatabaseQuotaDefaults": "False", - "ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042", + "IssueWarningQuota": "9 GB (9,663,676,416 bytes)", + "ProhibitSendQuota": "10 GB (10,737,418,240 bytes)", + "ProhibitSendReceiveQuota": "10 GB (10,737,418,240 bytes)", "RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", "SCLDeleteEnabled": "False", - "QuarantineMessageStore": "True", - "SCLRejectEnabled": "False", "SCLJunkEnabled": "False", - "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}" + "SCLQuarantineEnabled": "False", + "SCLRejectEnabled": "False", + "UseDatabaseQuotaDefaults": "False" }, - "AppId": "", "RecordType": "1", - "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-10T07:37:14", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-10T07:37:14.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "event": { - "ingested": "2022-01-02T03:49:51.470330847Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:14\",\"ExternalAccess\":true,\"Id\":\"6ddabbf8-4b7c-4982-2683-08d7adfc0c10\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", - "action": "Set-Mailbox", - "id": "6ddabbf8-4b7c-4982-2683-08d7adfc0c10", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" } }, { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", + "@timestamp": "2020-02-07T20:49:02.000Z", + "destination": { "ip": "67.43.156.13" }, - "destination": { - "ip": "67.43.156.13" + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Set-Mailbox", + "category": [ + "web" + ], + "code": "ExchangeAdmin", + "id": "f580aae6-d0d5-4204-1a13-08d7ac0f2a03", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:02\",\"ExternalAccess\":true,\"Id\":\"f580aae6-d0d5-4204-1a13-08d7ac0f2a03\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, - "tags": [ - "preserve_original_event" - ], "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-07T20:49:02", + "ExternalAccess": true, + "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}", "Parameters": { "Arbitration": "True", - "IssueWarningQuota": "9 GB (9,663,676,416 bytes)", "Force": "True", - "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", - "SCLQuarantineEnabled": "False", - "ProhibitSendReceiveQuota": "10 GB (10,737,418,240 bytes)", "HiddenFromAddressListsEnabled": "True", - "UseDatabaseQuotaDefaults": "False", - "ProhibitSendQuota": "10 GB (10,737,418,240 bytes)", + "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}", + "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", + "ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "QuarantineMessageStore": "True", "RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", "SCLDeleteEnabled": "False", - "SCLRejectEnabled": "False", "SCLJunkEnabled": "False", - "DisplayName": "Microsoft Exchange", - "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042" + "SCLQuarantineEnabled": "False", + "SCLRejectEnabled": "False", + "UseDatabaseQuotaDefaults": "False" }, - "AppId": "", "RecordType": "1", - "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-10T07:37:13", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-10T07:37:13.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "event": { - "ingested": "2022-01-02T03:49:51.470331705Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:13\",\"ExternalAccess\":true,\"Id\":\"e6a88958-ff2a-4e9b-d681-08d7adfc0b73\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"DisplayName\",\"Value\":\"Microsoft Exchange\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"9 GB (9,663,676,416 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", - "action": "Set-Mailbox", - "id": "e6a88958-ff2a-4e9b-d681-08d7adfc0b73", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" } }, { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", - "ip": "67.43.156.13" - }, + "@timestamp": "2020-02-07T20:48:57.000Z", "destination": { "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Set-Mailbox", + "category": [ + "web" + ], + "code": "ExchangeAdmin", + "id": "165a283d-6f9b-4dc2-1b86-08d7ac0f273c", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:57\",\"ExternalAccess\":true,\"Id\":\"165a283d-6f9b-4dc2-1b86-08d7ac0f273c\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-07T20:48:57", + "ExternalAccess": true, + "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}", "Parameters": { "Arbitration": "True", - "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "Force": "True", - "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", - "SCLQuarantineEnabled": "False", - "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", "HiddenFromAddressListsEnabled": "True", - "UseDatabaseQuotaDefaults": "False", + "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}", + "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "QuarantineMessageStore": "True", "RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", "SCLDeleteEnabled": "False", - "QuarantineMessageStore": "True", - "SCLRejectEnabled": "False", "SCLJunkEnabled": "False", - "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}" + "SCLQuarantineEnabled": "False", + "SCLRejectEnabled": "False", + "UseDatabaseQuotaDefaults": "False" }, - "AppId": "", "RecordType": "1", - "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-07T20:49:02", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-07T20:49:02.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "event": { - "ingested": "2022-01-02T03:49:51.470332648Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:02\",\"ExternalAccess\":true,\"Id\":\"f580aae6-d0d5-4204-1a13-08d7ac0f2a03\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", - "action": "Set-Mailbox", - "id": "f580aae6-d0d5-4204-1a13-08d7ac0f2a03", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" } }, { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", - "ip": "67.43.156.13" - }, + "@timestamp": "2020-02-10T07:37:15.000Z", "destination": { "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Set-Mailbox", + "category": [ + "web" + ], + "code": "ExchangeAdmin", + "id": "2db154f6-63ae-4a31-c548-08d7adfc0d1d", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:15\",\"ExternalAccess\":true,\"Id\":\"2db154f6-63ae-4a31-c548-08d7adfc0d1d\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-10T07:37:15", + "ExternalAccess": true, + "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}", "Parameters": { "Arbitration": "True", - "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "Force": "True", - "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", - "SCLQuarantineEnabled": "False", - "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", "HiddenFromAddressListsEnabled": "True", - "UseDatabaseQuotaDefaults": "False", + "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}", + "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "QuarantineMessageStore": "True", "RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", "SCLDeleteEnabled": "False", - "QuarantineMessageStore": "True", - "SCLRejectEnabled": "False", "SCLJunkEnabled": "False", - "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}" + "SCLQuarantineEnabled": "False", + "SCLRejectEnabled": "False", + "UseDatabaseQuotaDefaults": "False" }, - "AppId": "", "RecordType": "1", - "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-07T20:48:57", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-07T20:48:57.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "event": { - "ingested": "2022-01-02T03:49:51.470333515Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:57\",\"ExternalAccess\":true,\"Id\":\"165a283d-6f9b-4dc2-1b86-08d7ac0f273c\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", - "action": "Set-Mailbox", - "id": "165a283d-6f9b-4dc2-1b86-08d7ac0f273c", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, - "user": { - "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" - } - }, - { "server": { "address": "67.43.156.13", "domain": "HE1PR0102MB3228", "ip": "67.43.156.13" }, - "destination": { - "ip": "67.43.156.13" - }, "tags": [ "preserve_original_event" ], - "o365": { - "audit": { - "Parameters": { - "Arbitration": "True", - "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", - "Force": "True", - "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", - "SCLQuarantineEnabled": "False", - "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", - "HiddenFromAddressListsEnabled": "True", - "UseDatabaseQuotaDefaults": "False", - "ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", - "RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", - "SCLDeleteEnabled": "False", - "QuarantineMessageStore": "True", - "SCLRejectEnabled": "False", - "SCLJunkEnabled": "False", - "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}" - }, - "AppId": "", - "RecordType": "1", - "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}", - "ResultStatus": "True", - "Version": "1", - "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-10T07:37:15", - "UserType": "3" - } + "user": { + "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + } + }, + { + "@timestamp": "2020-02-07T20:49:21.000Z", + "destination": { + "ip": "67.43.156.13" }, - "@timestamp": "2020-02-10T07:37:15.000Z", "ecs": { "version": "8.0.0" }, - "related": { - "ip": [ - "67.43.156.13" - ] - }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, "event": { - "ingested": "2022-01-02T03:49:51.470334394Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:15\",\"ExternalAccess\":true,\"Id\":\"2db154f6-63ae-4a31-c548-08d7adfc0d1d\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", "action": "Set-Mailbox", - "id": "2db154f6-63ae-4a31-c548-08d7adfc0d1d", - "type": [ - "info" - ], "category": [ "web" ], - "outcome": "success" - }, - "user": { - "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" - } - }, - { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", - "ip": "67.43.156.13" + "code": "ExchangeAdmin", + "id": "a61cdc9a-89ef-402b-102c-08d7ac0f3592", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:21\",\"ExternalAccess\":true,\"Id\":\"a61cdc9a-89ef-402b-102c-08d7ac0f3592\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] }, - "destination": { - "ip": "67.43.156.13" + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, - "tags": [ - "preserve_original_event" - ], "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-07T20:49:21", + "ExternalAccess": true, + "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}", "Parameters": { "Arbitration": "True", - "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "Force": "True", - "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", - "SCLQuarantineEnabled": "False", - "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", "HiddenFromAddressListsEnabled": "True", - "UseDatabaseQuotaDefaults": "False", + "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}", + "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "QuarantineMessageStore": "True", "RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", "SCLDeleteEnabled": "False", - "QuarantineMessageStore": "True", - "SCLRejectEnabled": "False", "SCLJunkEnabled": "False", - "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}" + "SCLQuarantineEnabled": "False", + "SCLRejectEnabled": "False", + "UseDatabaseQuotaDefaults": "False" }, - "AppId": "", "RecordType": "1", - "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-07T20:49:21", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-07T20:49:21.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "event": { - "ingested": "2022-01-02T03:49:51.470335311Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:21\",\"ExternalAccess\":true,\"Id\":\"a61cdc9a-89ef-402b-102c-08d7ac0f3592\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", - "action": "Set-Mailbox", - "id": "a61cdc9a-89ef-402b-102c-08d7ac0f3592", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" } }, { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", - "ip": "67.43.156.13" - }, + "@timestamp": "2020-02-10T07:37:17.000Z", "destination": { "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Set-Mailbox", + "category": [ + "web" + ], + "code": "ExchangeAdmin", + "id": "2202ec45-7abc-49dd-e35e-08d7adfc0e15", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:17\",\"ExternalAccess\":true,\"Id\":\"2202ec45-7abc-49dd-e35e-08d7adfc0e15\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-10T07:37:17", + "ExternalAccess": true, + "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}", "Parameters": { "Arbitration": "True", - "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "Force": "True", - "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", - "SCLQuarantineEnabled": "False", - "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", "HiddenFromAddressListsEnabled": "True", - "UseDatabaseQuotaDefaults": "False", + "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}", + "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "QuarantineMessageStore": "True", "RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", "SCLDeleteEnabled": "False", - "QuarantineMessageStore": "True", - "SCLRejectEnabled": "False", "SCLJunkEnabled": "False", - "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}" + "SCLQuarantineEnabled": "False", + "SCLRejectEnabled": "False", + "UseDatabaseQuotaDefaults": "False" }, - "AppId": "", "RecordType": "1", - "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-10T07:37:17", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-10T07:37:17.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "event": { - "ingested": "2022-01-02T03:49:51.470336170Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:17\",\"ExternalAccess\":true,\"Id\":\"2202ec45-7abc-49dd-e35e-08d7adfc0e15\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", - "action": "Set-Mailbox", - "id": "2202ec45-7abc-49dd-e35e-08d7adfc0e15", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" } }, { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", - "ip": "67.43.156.13" - }, + "@timestamp": "2020-02-07T20:48:04.000Z", "destination": { "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Enable-AddressListPaging", + "category": [ + "web" + ], + "code": "ExchangeAdmin", + "id": "a0063917-bb25-4c17-fe2e-08d7ac0f0769", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:04\",\"ExternalAccess\":true,\"Id\":\"a0063917-bb25-4c17-fe2e-08d7ac0f0769\",\"ObjectId\":\"testsiem.onmicrosoft.com\",\"Operation\":\"Enable-AddressListPaging\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DoNotUpdateRecipients\",\"Value\":\"True\"},{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-07T20:48:04", + "ExternalAccess": true, + "ObjectId": "testsiem.onmicrosoft.com", "Parameters": { + "DoNotUpdateRecipients": "True", "DomainController": "", - "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com", - "DoNotUpdateRecipients": "True" + "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com" }, - "AppId": "", "RecordType": "1", - "ObjectId": "testsiem.onmicrosoft.com", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-07T20:48:04", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-07T20:48:04.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "event": { - "ingested": "2022-01-02T03:49:51.470337090Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:04\",\"ExternalAccess\":true,\"Id\":\"a0063917-bb25-4c17-fe2e-08d7ac0f0769\",\"ObjectId\":\"testsiem.onmicrosoft.com\",\"Operation\":\"Enable-AddressListPaging\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DoNotUpdateRecipients\",\"Value\":\"True\"},{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", - "action": "Enable-AddressListPaging", - "id": "a0063917-bb25-4c17-fe2e-08d7ac0f0769", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" } }, { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", + "@timestamp": "2020-02-07T20:49:55.000Z", + "destination": { "ip": "67.43.156.13" }, - "destination": { - "ip": "67.43.156.13" + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Set-AdminAuditLogConfig", + "category": [ + "web" + ], + "code": "ExchangeAdmin", + "id": "0caecd44-0161-44e5-0e45-08d7ac0f49d6", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:55\",\"ExternalAccess\":true,\"Id\":\"0caecd44-0161-44e5-0e45-08d7ac0f49d6\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Admin Audit Log Settings\",\"Operation\":\"Set-AdminAuditLogConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"IgnoreDehydratedFlag\",\"Value\":\"True\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"},{\"Name\":\"AdminAuditLogEnabled\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, - "tags": [ - "preserve_original_event" - ], "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-07T20:49:55", + "ExternalAccess": true, + "ObjectId": "testsiem.onmicrosoft.com\\Admin Audit Log Settings", "Parameters": { + "AdminAuditLogEnabled": "True", "DomainController": "", - "IgnoreDehydratedFlag": "True", "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com", - "AdminAuditLogEnabled": "True" + "IgnoreDehydratedFlag": "True" }, - "AppId": "", "RecordType": "1", - "ObjectId": "testsiem.onmicrosoft.com\\Admin Audit Log Settings", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-07T20:49:55", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-07T20:49:55.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "event": { - "ingested": "2022-01-02T03:49:51.470337965Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:55\",\"ExternalAccess\":true,\"Id\":\"0caecd44-0161-44e5-0e45-08d7ac0f49d6\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Admin Audit Log Settings\",\"Operation\":\"Set-AdminAuditLogConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"IgnoreDehydratedFlag\",\"Value\":\"True\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"},{\"Name\":\"AdminAuditLogEnabled\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", - "action": "Set-AdminAuditLogConfig", - "id": "0caecd44-0161-44e5-0e45-08d7ac0f49d6", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" } }, { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", - "ip": "67.43.156.13" - }, + "@timestamp": "2020-02-10T07:37:24.000Z", "destination": { "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Set-ExchangeAssistanceConfig", + "category": [ + "web" + ], + "code": "ExchangeAdmin", + "id": "2cb36c1c-1368-4483-9801-08d7adfc11fe", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:24\",\"ExternalAccess\":true,\"Id\":\"2cb36c1c-1368-4483-9801-08d7adfc11fe\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\ExchangeAssistance15\",\"Operation\":\"Set-ExchangeAssistanceConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"Identity\",\"Value\":\"testsiem.onmicrosoft.com\"},{\"Name\":\"PrivacyStatementURL\",\"Value\":\"http://go.microsoft.com/fwlink/?LinkID=259417\"},{\"Name\":\"PrivacyLinkDisplayEnabled\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-10T07:37:24", + "ExternalAccess": true, + "ObjectId": "testsiem.onmicrosoft.com\\ExchangeAssistance15", "Parameters": { - "PrivacyLinkDisplayEnabled": "True", "Identity": "testsiem.onmicrosoft.com", + "PrivacyLinkDisplayEnabled": "True", "PrivacyStatementURL": "http://go.microsoft.com/fwlink/?LinkID=259417" }, - "AppId": "", "RecordType": "1", - "ObjectId": "testsiem.onmicrosoft.com\\ExchangeAssistance15", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-10T07:37:24", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-10T07:37:24.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "event": { - "ingested": "2022-01-02T03:49:51.470338836Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:24\",\"ExternalAccess\":true,\"Id\":\"2cb36c1c-1368-4483-9801-08d7adfc11fe\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\ExchangeAssistance15\",\"Operation\":\"Set-ExchangeAssistanceConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"Identity\",\"Value\":\"testsiem.onmicrosoft.com\"},{\"Name\":\"PrivacyStatementURL\",\"Value\":\"http://go.microsoft.com/fwlink/?LinkID=259417\"},{\"Name\":\"PrivacyLinkDisplayEnabled\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", - "action": "Set-ExchangeAssistanceConfig", - "id": "2cb36c1c-1368-4483-9801-08d7adfc11fe", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" } }, { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", - "ip": "67.43.156.13" - }, + "@timestamp": "2020-02-10T07:37:23.000Z", "destination": { "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Set-RecipientEnforcementProvisioningPolicy", + "category": [ + "web" + ], + "code": "ExchangeAdmin", + "id": "80d8b808-c24c-4359-24cf-08d7adfc11e3", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:23\",\"ExternalAccess\":true,\"Id\":\"80d8b808-c24c-4359-24cf-08d7adfc11e3\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Recipient Quota Policy\",\"Operation\":\"Set-RecipientEnforcementProvisioningPolicy\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"IgnoreDehydratedFlag\",\"Value\":\"True\"},{\"Name\":\"Identity\",\"Value\":\"testsiem.onmicrosoft.com\\\\Recipient Quota Policy\"},{\"Name\":\"PublicFolderHierarchyMailboxCountQuota\",\"Value\":\"100\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-10T07:37:23", + "ExternalAccess": true, + "ObjectId": "testsiem.onmicrosoft.com\\Recipient Quota Policy", "Parameters": { "DomainController": "", + "Identity": "testsiem.onmicrosoft.com\\Recipient Quota Policy", "IgnoreDehydratedFlag": "True", - "PublicFolderHierarchyMailboxCountQuota": "100", - "Identity": "testsiem.onmicrosoft.com\\Recipient Quota Policy" + "PublicFolderHierarchyMailboxCountQuota": "100" }, - "AppId": "", "RecordType": "1", - "ObjectId": "testsiem.onmicrosoft.com\\Recipient Quota Policy", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-10T07:37:23", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-10T07:37:23.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "event": { - "ingested": "2022-01-02T03:49:51.470340169Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:23\",\"ExternalAccess\":true,\"Id\":\"80d8b808-c24c-4359-24cf-08d7adfc11e3\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Recipient Quota Policy\",\"Operation\":\"Set-RecipientEnforcementProvisioningPolicy\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"IgnoreDehydratedFlag\",\"Value\":\"True\"},{\"Name\":\"Identity\",\"Value\":\"testsiem.onmicrosoft.com\\\\Recipient Quota Policy\"},{\"Name\":\"PublicFolderHierarchyMailboxCountQuota\",\"Value\":\"100\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", - "action": "Set-RecipientEnforcementProvisioningPolicy", - "id": "80d8b808-c24c-4359-24cf-08d7adfc11e3", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" } }, { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", - "ip": "67.43.156.13" - }, + "@timestamp": "2020-02-10T07:37:24.000Z", "destination": { "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Set-TenantObjectVersion", + "category": [ + "web" + ], + "code": "ExchangeAdmin", + "id": "a9fb5fce-4ce4-43eb-f429-08d7adfc122c", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:24\",\"ExternalAccess\":true,\"Id\":\"a9fb5fce-4ce4-43eb-f429-08d7adfc122c\",\"ObjectId\":\"testsiem.onmicrosoft.com\",\"Operation\":\"Set-TenantObjectVersion\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-10T07:37:24", + "ExternalAccess": true, + "ObjectId": "testsiem.onmicrosoft.com", "Parameters": { "DomainController": "", "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com" }, - "AppId": "", "RecordType": "1", - "ObjectId": "testsiem.onmicrosoft.com", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-10T07:37:24", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-10T07:37:24.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "tags": [ + "preserve_original_event" + ], + "user": { + "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + } + }, + { + "@timestamp": "2020-02-07T20:49:49.000Z", + "destination": { + "ip": "67.43.156.13" + }, + "ecs": { + "version": "8.0.0" }, "event": { - "ingested": "2022-01-02T03:49:51.470341037Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:24\",\"ExternalAccess\":true,\"Id\":\"a9fb5fce-4ce4-43eb-f429-08d7adfc122c\",\"ObjectId\":\"testsiem.onmicrosoft.com\",\"Operation\":\"Set-TenantObjectVersion\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "action": "Add-MailboxPermission", + "category": [ + "web" + ], "code": "ExchangeAdmin", - "provider": "Exchange", + "id": "5f84ceaa-e6df-4ba1-1085-08d7ac0f4646", "kind": "event", - "action": "Set-TenantObjectVersion", - "id": "a9fb5fce-4ce4-43eb-f429-08d7adfc122c", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:49\",\"ExternalAccess\":true,\"Id\":\"5f84ceaa-e6df-4ba1-1085-08d7ac0f4646\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}\",\"Operation\":\"Add-MailboxPermission\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}\"},{\"Name\":\"User\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Discovery Management\"},{\"Name\":\"AccessRights\",\"Value\":\"FullAccess\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", "type": [ "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, - "user": { - "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" - } - }, - { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", - "ip": "67.43.156.13" + ] }, - "destination": { - "ip": "67.43.156.13" + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, - "tags": [ - "preserve_original_event" - ], "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-07T20:49:49", + "ExternalAccess": true, + "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}", "Parameters": { "AccessRights": "FullAccess", "DomainController": "", - "User": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Discovery Management", - "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}" + "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}", + "User": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Discovery Management" }, - "AppId": "", "RecordType": "1", - "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-07T20:49:49", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-07T20:49:49.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "event": { - "ingested": "2022-01-02T03:49:51.470342089Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:49\",\"ExternalAccess\":true,\"Id\":\"5f84ceaa-e6df-4ba1-1085-08d7ac0f4646\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}\",\"Operation\":\"Add-MailboxPermission\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}\"},{\"Name\":\"User\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Discovery Management\"},{\"Name\":\"AccessRights\",\"Value\":\"FullAccess\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", - "action": "Add-MailboxPermission", - "id": "5f84ceaa-e6df-4ba1-1085-08d7ac0f4646", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" } }, { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", - "ip": "67.43.156.13" - }, + "@timestamp": "2020-02-07T20:49:49.000Z", "destination": { "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Set-Mailbox", + "category": [ + "web" + ], + "code": "ExchangeAdmin", + "id": "1c7412a6-858d-49ff-3f93-08d7ac0f45bf", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:49\",\"ExternalAccess\":true,\"Id\":\"1c7412a6-858d-49ff-3f93-08d7ac0f45bf\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-07T20:49:49", + "ExternalAccess": true, + "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}", "Parameters": { "DomainController": "", "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}" }, - "AppId": "", "RecordType": "1", - "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-07T20:49:49", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-07T20:49:49.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "event": { - "ingested": "2022-01-02T03:49:51.470342960Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:49\",\"ExternalAccess\":true,\"Id\":\"1c7412a6-858d-49ff-3f93-08d7ac0f45bf\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", - "action": "Set-Mailbox", - "id": "1c7412a6-858d-49ff-3f93-08d7ac0f45bf", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" } }, { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", - "ip": "67.43.156.13" - }, + "@timestamp": "2020-02-07T20:49:55.000Z", "destination": { "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Set-AdminAuditLogConfig", + "category": [ + "web" + ], + "code": "ExchangeAdmin", + "id": "0caecd44-0161-44e5-0e45-08d7ac0f49d6", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:55\",\"ExternalAccess\":true,\"Id\":\"0caecd44-0161-44e5-0e45-08d7ac0f49d6\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Admin Audit Log Settings\",\"Operation\":\"Set-AdminAuditLogConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"IgnoreDehydratedFlag\",\"Value\":\"True\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"},{\"Name\":\"AdminAuditLogEnabled\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-07T20:49:55", + "ExternalAccess": true, + "ObjectId": "testsiem.onmicrosoft.com\\Admin Audit Log Settings", "Parameters": { + "AdminAuditLogEnabled": "True", "DomainController": "", - "IgnoreDehydratedFlag": "True", "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com", - "AdminAuditLogEnabled": "True" + "IgnoreDehydratedFlag": "True" }, - "AppId": "", "RecordType": "1", - "ObjectId": "testsiem.onmicrosoft.com\\Admin Audit Log Settings", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-07T20:49:55", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-07T20:49:55.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "event": { - "ingested": "2022-01-02T03:49:51.470343877Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:55\",\"ExternalAccess\":true,\"Id\":\"0caecd44-0161-44e5-0e45-08d7ac0f49d6\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Admin Audit Log Settings\",\"Operation\":\"Set-AdminAuditLogConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"IgnoreDehydratedFlag\",\"Value\":\"True\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"},{\"Name\":\"AdminAuditLogEnabled\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", - "action": "Set-AdminAuditLogConfig", - "id": "0caecd44-0161-44e5-0e45-08d7ac0f49d6", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" } }, { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", - "ip": "67.43.156.13" - }, + "@timestamp": "2020-02-10T07:37:12.000Z", "destination": { "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Set-Mailbox", + "category": [ + "web" + ], + "code": "ExchangeAdmin", + "id": "7386959b-a0d0-459e-baf8-08d7adfc0b4b", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:12\",\"ExternalAccess\":true,\"Id\":\"7386959b-a0d0-459e-baf8-08d7adfc0b4b\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{D0E409A0-AF9B-4720-92FE-AAC869B0D201}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"OMEncryptionStore\",\"Value\":\"True\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{D0E409A0-AF9B-4720-92FE-AAC869B0D201}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-10T07:37:12", + "ExternalAccess": true, + "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{D0E409A0-AF9B-4720-92FE-AAC869B0D201}", "Parameters": { "Arbitration": "True", - "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "Force": "True", - "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", - "SCLQuarantineEnabled": "False", - "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", "HiddenFromAddressListsEnabled": "True", - "UseDatabaseQuotaDefaults": "False", + "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{D0E409A0-AF9B-4720-92FE-AAC869B0D201}", + "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "OMEncryptionStore": "True", "ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", "RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", "SCLDeleteEnabled": "False", - "SCLRejectEnabled": "False", "SCLJunkEnabled": "False", - "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{D0E409A0-AF9B-4720-92FE-AAC869B0D201}" + "SCLQuarantineEnabled": "False", + "SCLRejectEnabled": "False", + "UseDatabaseQuotaDefaults": "False" }, - "AppId": "", "RecordType": "1", - "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{D0E409A0-AF9B-4720-92FE-AAC869B0D201}", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-10T07:37:12", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-10T07:37:12.000Z", + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, + "related": { + "ip": [ + "67.43.156.13" + ] + }, + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + } + }, + { + "@timestamp": "2020-02-10T07:37:15.000Z", + "destination": { + "ip": "67.43.156.13" + }, "ecs": { "version": "8.0.0" }, - "related": { - "ip": [ - "67.43.156.13" - ] - }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, "event": { - "ingested": "2022-01-02T03:49:51.470344746Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:12\",\"ExternalAccess\":true,\"Id\":\"7386959b-a0d0-459e-baf8-08d7adfc0b4b\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{D0E409A0-AF9B-4720-92FE-AAC869B0D201}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"OMEncryptionStore\",\"Value\":\"True\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{D0E409A0-AF9B-4720-92FE-AAC869B0D201}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", "action": "Set-Mailbox", - "id": "7386959b-a0d0-459e-baf8-08d7adfc0b4b", - "type": [ - "info" - ], "category": [ "web" ], - "outcome": "success" - }, - "user": { - "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" - } - }, - { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", - "ip": "67.43.156.13" + "code": "ExchangeAdmin", + "id": "7b5e608f-0a09-4251-8922-08d7adfc0d15", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:15\",\"ExternalAccess\":true,\"Id\":\"7b5e608f-0a09-4251-8922-08d7adfc0d15\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] }, - "destination": { - "ip": "67.43.156.13" + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, - "tags": [ - "preserve_original_event" - ], "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-10T07:37:15", + "ExternalAccess": true, + "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}", "Parameters": { "Arbitration": "True", - "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "Force": "True", - "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", - "SCLQuarantineEnabled": "False", - "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", "HiddenFromAddressListsEnabled": "True", - "UseDatabaseQuotaDefaults": "False", + "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}", + "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "QuarantineMessageStore": "True", "RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", "SCLDeleteEnabled": "False", - "QuarantineMessageStore": "True", - "SCLRejectEnabled": "False", "SCLJunkEnabled": "False", - "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}" + "SCLQuarantineEnabled": "False", + "SCLRejectEnabled": "False", + "UseDatabaseQuotaDefaults": "False" }, - "AppId": "", "RecordType": "1", - "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-10T07:37:15", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-10T07:37:15.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "event": { - "ingested": "2022-01-02T03:49:51.470345657Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:15\",\"ExternalAccess\":true,\"Id\":\"7b5e608f-0a09-4251-8922-08d7adfc0d15\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", - "action": "Set-Mailbox", - "id": "7b5e608f-0a09-4251-8922-08d7adfc0d15", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" } }, { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", - "ip": "67.43.156.13" - }, + "@timestamp": "2020-02-07T20:49:03.000Z", "destination": { "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Set-Mailbox", + "category": [ + "web" + ], + "code": "ExchangeAdmin", + "id": "96b98335-ab19-4e22-31e0-08d7ac0f2ac2", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:03\",\"ExternalAccess\":true,\"Id\":\"96b98335-ab19-4e22-31e0-08d7ac0f2ac2\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-07T20:49:03", + "ExternalAccess": true, + "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}", "Parameters": { "Arbitration": "True", - "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "Force": "True", - "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", - "SCLQuarantineEnabled": "False", - "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", "HiddenFromAddressListsEnabled": "True", - "UseDatabaseQuotaDefaults": "False", + "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}", + "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "QuarantineMessageStore": "True", "RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", "SCLDeleteEnabled": "False", - "QuarantineMessageStore": "True", - "SCLRejectEnabled": "False", "SCLJunkEnabled": "False", - "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}" + "SCLQuarantineEnabled": "False", + "SCLRejectEnabled": "False", + "UseDatabaseQuotaDefaults": "False" }, - "AppId": "", "RecordType": "1", - "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-07T20:49:03", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-07T20:49:03.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "event": { - "ingested": "2022-01-02T03:49:51.470346628Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:03\",\"ExternalAccess\":true,\"Id\":\"96b98335-ab19-4e22-31e0-08d7ac0f2ac2\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", - "action": "Set-Mailbox", - "id": "96b98335-ab19-4e22-31e0-08d7ac0f2ac2", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" } }, { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", - "ip": "67.43.156.13" - }, + "@timestamp": "2020-02-07T20:49:21.000Z", "destination": { "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Set-Mailbox", + "category": [ + "web" + ], + "code": "ExchangeAdmin", + "id": "a61cdc9a-89ef-402b-102c-08d7ac0f3592", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:21\",\"ExternalAccess\":true,\"Id\":\"a61cdc9a-89ef-402b-102c-08d7ac0f3592\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-07T20:49:21", + "ExternalAccess": true, + "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}", "Parameters": { "Arbitration": "True", - "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "Force": "True", - "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", - "SCLQuarantineEnabled": "False", - "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", "HiddenFromAddressListsEnabled": "True", - "UseDatabaseQuotaDefaults": "False", + "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}", + "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "QuarantineMessageStore": "True", "RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", "SCLDeleteEnabled": "False", - "QuarantineMessageStore": "True", - "SCLRejectEnabled": "False", "SCLJunkEnabled": "False", - "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}" + "SCLQuarantineEnabled": "False", + "SCLRejectEnabled": "False", + "UseDatabaseQuotaDefaults": "False" }, - "AppId": "", "RecordType": "1", - "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-07T20:49:21", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-07T20:49:21.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "event": { - "ingested": "2022-01-02T03:49:51.470347483Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:21\",\"ExternalAccess\":true,\"Id\":\"a61cdc9a-89ef-402b-102c-08d7ac0f3592\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", - "action": "Set-Mailbox", - "id": "a61cdc9a-89ef-402b-102c-08d7ac0f3592", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" } }, { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", - "ip": "67.43.156.13" - }, + "@timestamp": "2020-02-07T20:49:04.000Z", "destination": { "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Set-Mailbox", + "category": [ + "web" + ], + "code": "ExchangeAdmin", + "id": "5cd5fc38-5b48-47d6-2e47-08d7ac0f2b01", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:04\",\"ExternalAccess\":true,\"Id\":\"5cd5fc38-5b48-47d6-2e47-08d7ac0f2b01\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-07T20:49:04", + "ExternalAccess": true, + "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}", "Parameters": { "Arbitration": "True", - "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "Force": "True", - "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", - "SCLQuarantineEnabled": "False", - "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", "HiddenFromAddressListsEnabled": "True", - "UseDatabaseQuotaDefaults": "False", + "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}", + "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "QuarantineMessageStore": "True", "RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", "SCLDeleteEnabled": "False", - "QuarantineMessageStore": "True", - "SCLRejectEnabled": "False", "SCLJunkEnabled": "False", - "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}" + "SCLQuarantineEnabled": "False", + "SCLRejectEnabled": "False", + "UseDatabaseQuotaDefaults": "False" }, - "AppId": "", "RecordType": "1", - "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-07T20:49:04", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-07T20:49:04.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "event": { - "ingested": "2022-01-02T03:49:51.470348351Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:04\",\"ExternalAccess\":true,\"Id\":\"5cd5fc38-5b48-47d6-2e47-08d7ac0f2b01\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{61D4A3E5-D6B5-401C-B13A-CCAD2BA8E8E9}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", - "action": "Set-Mailbox", - "id": "5cd5fc38-5b48-47d6-2e47-08d7ac0f2b01", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" } }, { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", - "ip": "67.43.156.13" - }, + "@timestamp": "2020-02-07T20:49:21.000Z", "destination": { "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Set-Mailbox", + "category": [ + "web" + ], + "code": "ExchangeAdmin", + "id": "ff48ffeb-5c2a-468f-9113-08d7ac0f3512", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:21\",\"ExternalAccess\":true,\"Id\":\"ff48ffeb-5c2a-468f-9113-08d7ac0f3512\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-07T20:49:21", + "ExternalAccess": true, + "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}", "Parameters": { "Arbitration": "True", - "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "Force": "True", - "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", - "SCLQuarantineEnabled": "False", - "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", "HiddenFromAddressListsEnabled": "True", - "UseDatabaseQuotaDefaults": "False", + "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}", + "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "QuarantineMessageStore": "True", "RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", "SCLDeleteEnabled": "False", - "QuarantineMessageStore": "True", - "SCLRejectEnabled": "False", "SCLJunkEnabled": "False", - "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}" + "SCLQuarantineEnabled": "False", + "SCLRejectEnabled": "False", + "UseDatabaseQuotaDefaults": "False" }, - "AppId": "", "RecordType": "1", - "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-07T20:49:21", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-07T20:49:21.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "event": { - "ingested": "2022-01-02T03:49:51.470349216Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:21\",\"ExternalAccess\":true,\"Id\":\"ff48ffeb-5c2a-468f-9113-08d7ac0f3512\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", - "action": "Set-Mailbox", - "id": "ff48ffeb-5c2a-468f-9113-08d7ac0f3512", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" } }, { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", - "ip": "67.43.156.13" - }, + "@timestamp": "2020-02-10T07:37:14.000Z", "destination": { "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Set-Mailbox", + "category": [ + "web" + ], + "code": "ExchangeAdmin", + "id": "d16f181c-257c-4d40-45e1-08d7adfc0c02", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:14\",\"ExternalAccess\":true,\"Id\":\"d16f181c-257c-4d40-45e1-08d7adfc0c02\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-10T07:37:14", + "ExternalAccess": true, + "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}", "Parameters": { "Arbitration": "True", - "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "Force": "True", - "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", - "SCLQuarantineEnabled": "False", - "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", "HiddenFromAddressListsEnabled": "True", - "UseDatabaseQuotaDefaults": "False", + "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}", + "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "QuarantineMessageStore": "True", "RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", "SCLDeleteEnabled": "False", - "QuarantineMessageStore": "True", - "SCLRejectEnabled": "False", "SCLJunkEnabled": "False", - "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}" + "SCLQuarantineEnabled": "False", + "SCLRejectEnabled": "False", + "UseDatabaseQuotaDefaults": "False" }, - "AppId": "", "RecordType": "1", - "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-10T07:37:14", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-10T07:37:14.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "event": { - "ingested": "2022-01-02T03:49:51.470350070Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:14\",\"ExternalAccess\":true,\"Id\":\"d16f181c-257c-4d40-45e1-08d7adfc0c02\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", - "action": "Set-Mailbox", - "id": "d16f181c-257c-4d40-45e1-08d7adfc0c02", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" } }, { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", + "@timestamp": "2020-02-07T20:48:57.000Z", + "destination": { "ip": "67.43.156.13" }, - "destination": { - "ip": "67.43.156.13" + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Set-Mailbox", + "category": [ + "web" + ], + "code": "ExchangeAdmin", + "id": "02c7f756-40e0-4c47-d49d-08d7ac0f26bd", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:57\",\"ExternalAccess\":true,\"Id\":\"02c7f756-40e0-4c47-d49d-08d7ac0f26bd\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, - "tags": [ - "preserve_original_event" - ], "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-07T20:48:57", + "ExternalAccess": true, + "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}", "Parameters": { "Arbitration": "True", - "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "Force": "True", - "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", - "SCLQuarantineEnabled": "False", - "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", "HiddenFromAddressListsEnabled": "True", - "UseDatabaseQuotaDefaults": "False", + "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}", + "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "QuarantineMessageStore": "True", "RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", "SCLDeleteEnabled": "False", - "QuarantineMessageStore": "True", - "SCLRejectEnabled": "False", "SCLJunkEnabled": "False", - "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}" + "SCLQuarantineEnabled": "False", + "SCLRejectEnabled": "False", + "UseDatabaseQuotaDefaults": "False" }, - "AppId": "", "RecordType": "1", - "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-07T20:48:57", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-07T20:48:57.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "event": { - "ingested": "2022-01-02T03:49:51.470350984Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:57\",\"ExternalAccess\":true,\"Id\":\"02c7f756-40e0-4c47-d49d-08d7ac0f26bd\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", - "action": "Set-Mailbox", - "id": "02c7f756-40e0-4c47-d49d-08d7ac0f26bd", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" } }, { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", - "ip": "67.43.156.13" - }, + "@timestamp": "2020-02-10T07:37:21.000Z", "destination": { "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Add-MailboxPermission", + "category": [ + "web" + ], + "code": "ExchangeAdmin", + "id": "86a8ddaf-15d2-44b4-62d5-08d7adfc1062", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:21\",\"ExternalAccess\":true,\"Id\":\"86a8ddaf-15d2-44b4-62d5-08d7adfc1062\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}\",\"Operation\":\"Add-MailboxPermission\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}\"},{\"Name\":\"User\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Discovery Management\"},{\"Name\":\"AccessRights\",\"Value\":\"FullAccess\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-10T07:37:21", + "ExternalAccess": true, + "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}", "Parameters": { "AccessRights": "FullAccess", "DomainController": "", - "User": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Discovery Management", - "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}" + "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}", + "User": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Discovery Management" }, - "AppId": "", "RecordType": "1", - "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-10T07:37:21", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-10T07:37:21.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "event": { - "ingested": "2022-01-02T03:49:51.470351892Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:21\",\"ExternalAccess\":true,\"Id\":\"86a8ddaf-15d2-44b4-62d5-08d7adfc1062\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}\",\"Operation\":\"Add-MailboxPermission\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}\"},{\"Name\":\"User\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Discovery Management\"},{\"Name\":\"AccessRights\",\"Value\":\"FullAccess\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", - "action": "Add-MailboxPermission", - "id": "86a8ddaf-15d2-44b4-62d5-08d7adfc1062", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" } }, { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", - "ip": "67.43.156.13" - }, + "@timestamp": "2020-02-07T20:48:57.000Z", "destination": { "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Set-Mailbox", + "category": [ + "web" + ], + "code": "ExchangeAdmin", + "id": "8b544cbd-f42b-4910-82ef-08d7ac0f26fc", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:57\",\"ExternalAccess\":true,\"Id\":\"8b544cbd-f42b-4910-82ef-08d7ac0f26fc\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-07T20:48:57", + "ExternalAccess": true, + "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}", "Parameters": { "Arbitration": "True", - "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "Force": "True", - "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", - "SCLQuarantineEnabled": "False", - "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", "HiddenFromAddressListsEnabled": "True", - "UseDatabaseQuotaDefaults": "False", + "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}", + "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "QuarantineMessageStore": "True", "RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", "SCLDeleteEnabled": "False", - "QuarantineMessageStore": "True", - "SCLRejectEnabled": "False", "SCLJunkEnabled": "False", - "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}" + "SCLQuarantineEnabled": "False", + "SCLRejectEnabled": "False", + "UseDatabaseQuotaDefaults": "False" }, - "AppId": "", "RecordType": "1", - "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-07T20:48:57", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-07T20:48:57.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "event": { - "ingested": "2022-01-02T03:49:51.470352750Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:57\",\"ExternalAccess\":true,\"Id\":\"8b544cbd-f42b-4910-82ef-08d7ac0f26fc\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{E9F19AD5-5B1D-4361-BE94-E55A6E1A6AA3}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", - "action": "Set-Mailbox", - "id": "8b544cbd-f42b-4910-82ef-08d7ac0f26fc", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" } }, { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", - "ip": "67.43.156.13" - }, + "@timestamp": "2020-02-10T07:37:13.000Z", "destination": { "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Set-Mailbox", + "category": [ + "web" + ], + "code": "ExchangeAdmin", + "id": "e6a88958-ff2a-4e9b-d681-08d7adfc0b73", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:13\",\"ExternalAccess\":true,\"Id\":\"e6a88958-ff2a-4e9b-d681-08d7adfc0b73\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"DisplayName\",\"Value\":\"Microsoft Exchange\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"9 GB (9,663,676,416 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-10T07:37:13", + "ExternalAccess": true, + "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042", "Parameters": { "Arbitration": "True", - "IssueWarningQuota": "9 GB (9,663,676,416 bytes)", + "DisplayName": "Microsoft Exchange", "Force": "True", - "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", - "SCLQuarantineEnabled": "False", - "ProhibitSendReceiveQuota": "10 GB (10,737,418,240 bytes)", "HiddenFromAddressListsEnabled": "True", - "UseDatabaseQuotaDefaults": "False", + "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042", + "IssueWarningQuota": "9 GB (9,663,676,416 bytes)", "ProhibitSendQuota": "10 GB (10,737,418,240 bytes)", + "ProhibitSendReceiveQuota": "10 GB (10,737,418,240 bytes)", "RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", "SCLDeleteEnabled": "False", - "SCLRejectEnabled": "False", "SCLJunkEnabled": "False", - "DisplayName": "Microsoft Exchange", - "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042" + "SCLQuarantineEnabled": "False", + "SCLRejectEnabled": "False", + "UseDatabaseQuotaDefaults": "False" }, - "AppId": "", "RecordType": "1", - "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-10T07:37:13", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-10T07:37:13.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "event": { - "ingested": "2022-01-02T03:49:51.470353610Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:13\",\"ExternalAccess\":true,\"Id\":\"e6a88958-ff2a-4e9b-d681-08d7adfc0b73\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"DisplayName\",\"Value\":\"Microsoft Exchange\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"9 GB (9,663,676,416 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", - "action": "Set-Mailbox", - "id": "e6a88958-ff2a-4e9b-d681-08d7adfc0b73", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" } }, { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", - "ip": "67.43.156.13" - }, + "@timestamp": "2020-02-10T07:37:07.000Z", "destination": { "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Enable-AddressListPaging", + "category": [ + "web" + ], + "code": "ExchangeAdmin", + "id": "d7134fa4-2e25-4a7d-d84d-08d7adfc0802", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:07\",\"ExternalAccess\":true,\"Id\":\"d7134fa4-2e25-4a7d-d84d-08d7adfc0802\",\"ObjectId\":\"testsiem.onmicrosoft.com\",\"Operation\":\"Enable-AddressListPaging\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DoNotUpdateRecipients\",\"Value\":\"True\"},{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-10T07:37:07", + "ExternalAccess": true, + "ObjectId": "testsiem.onmicrosoft.com", "Parameters": { + "DoNotUpdateRecipients": "True", "DomainController": "", - "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com", - "DoNotUpdateRecipients": "True" + "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com" }, - "AppId": "", "RecordType": "1", - "ObjectId": "testsiem.onmicrosoft.com", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-10T07:37:07", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-10T07:37:07.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "event": { - "ingested": "2022-01-02T03:49:51.470354530Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:07\",\"ExternalAccess\":true,\"Id\":\"d7134fa4-2e25-4a7d-d84d-08d7adfc0802\",\"ObjectId\":\"testsiem.onmicrosoft.com\",\"Operation\":\"Enable-AddressListPaging\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DoNotUpdateRecipients\",\"Value\":\"True\"},{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", - "action": "Enable-AddressListPaging", - "id": "d7134fa4-2e25-4a7d-d84d-08d7adfc0802", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" } }, { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", - "ip": "67.43.156.13" - }, + "@timestamp": "2020-02-10T07:37:14.000Z", "destination": { "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Set-Mailbox", + "category": [ + "web" + ], + "code": "ExchangeAdmin", + "id": "ee2a5c48-f068-4672-3e34-08d7adfc0bf4", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:14\",\"ExternalAccess\":true,\"Id\":\"ee2a5c48-f068-4672-3e34-08d7adfc0bf4\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-10T07:37:14", + "ExternalAccess": true, + "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}", "Parameters": { "Arbitration": "True", - "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "Force": "True", - "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", - "SCLQuarantineEnabled": "False", - "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", "HiddenFromAddressListsEnabled": "True", - "UseDatabaseQuotaDefaults": "False", + "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}", + "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "QuarantineMessageStore": "True", "RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", "SCLDeleteEnabled": "False", - "QuarantineMessageStore": "True", - "SCLRejectEnabled": "False", "SCLJunkEnabled": "False", - "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}" + "SCLQuarantineEnabled": "False", + "SCLRejectEnabled": "False", + "UseDatabaseQuotaDefaults": "False" }, - "AppId": "", "RecordType": "1", - "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-10T07:37:14", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-10T07:37:14.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "event": { - "ingested": "2022-01-02T03:49:51.470355390Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:14\",\"ExternalAccess\":true,\"Id\":\"ee2a5c48-f068-4672-3e34-08d7adfc0bf4\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", - "action": "Set-Mailbox", - "id": "ee2a5c48-f068-4672-3e34-08d7adfc0bf4", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" } }, { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", - "ip": "67.43.156.13" - }, + "@timestamp": "2020-02-07T20:48:32.000Z", "destination": { "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Install-ResourceConfig", + "category": [ + "web" + ], + "code": "ExchangeAdmin", + "id": "060e0f74-72a7-40d1-30fa-08d7ac0f17d8", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:32\",\"ExternalAccess\":true,\"Id\":\"060e0f74-72a7-40d1-30fa-08d7ac0f17d8\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Resource Schema\",\"Operation\":\"Install-ResourceConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Organization\",\"Value\":\"testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-07T20:48:32", + "ExternalAccess": true, + "ObjectId": "testsiem.onmicrosoft.com\\Resource Schema", "Parameters": { "DomainController": "", "Organization": "testsiem.onmicrosoft.com" }, - "AppId": "", "RecordType": "1", - "ObjectId": "testsiem.onmicrosoft.com\\Resource Schema", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-07T20:48:32", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-07T20:48:32.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "event": { - "ingested": "2022-01-02T03:49:51.470356248Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:32\",\"ExternalAccess\":true,\"Id\":\"060e0f74-72a7-40d1-30fa-08d7ac0f17d8\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Resource Schema\",\"Operation\":\"Install-ResourceConfig\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"Organization\",\"Value\":\"testsiem.onmicrosoft.com\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", - "action": "Install-ResourceConfig", - "id": "060e0f74-72a7-40d1-30fa-08d7ac0f17d8", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" } }, { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", + "@timestamp": "2020-02-10T07:37:23.000Z", + "destination": { "ip": "67.43.156.13" }, - "destination": { - "ip": "67.43.156.13" + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Set-RecipientEnforcementProvisioningPolicy", + "category": [ + "web" + ], + "code": "ExchangeAdmin", + "id": "80d8b808-c24c-4359-24cf-08d7adfc11e3", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:23\",\"ExternalAccess\":true,\"Id\":\"80d8b808-c24c-4359-24cf-08d7adfc11e3\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Recipient Quota Policy\",\"Operation\":\"Set-RecipientEnforcementProvisioningPolicy\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"IgnoreDehydratedFlag\",\"Value\":\"True\"},{\"Name\":\"Identity\",\"Value\":\"testsiem.onmicrosoft.com\\\\Recipient Quota Policy\"},{\"Name\":\"PublicFolderHierarchyMailboxCountQuota\",\"Value\":\"100\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, - "tags": [ - "preserve_original_event" - ], "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-10T07:37:23", + "ExternalAccess": true, + "ObjectId": "testsiem.onmicrosoft.com\\Recipient Quota Policy", "Parameters": { "DomainController": "", + "Identity": "testsiem.onmicrosoft.com\\Recipient Quota Policy", "IgnoreDehydratedFlag": "True", - "PublicFolderHierarchyMailboxCountQuota": "100", - "Identity": "testsiem.onmicrosoft.com\\Recipient Quota Policy" + "PublicFolderHierarchyMailboxCountQuota": "100" }, - "AppId": "", "RecordType": "1", - "ObjectId": "testsiem.onmicrosoft.com\\Recipient Quota Policy", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-10T07:37:23", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-10T07:37:23.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "event": { - "ingested": "2022-01-02T03:49:51.470357109Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:23\",\"ExternalAccess\":true,\"Id\":\"80d8b808-c24c-4359-24cf-08d7adfc11e3\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Recipient Quota Policy\",\"Operation\":\"Set-RecipientEnforcementProvisioningPolicy\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"IgnoreDehydratedFlag\",\"Value\":\"True\"},{\"Name\":\"Identity\",\"Value\":\"testsiem.onmicrosoft.com\\\\Recipient Quota Policy\"},{\"Name\":\"PublicFolderHierarchyMailboxCountQuota\",\"Value\":\"100\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", - "action": "Set-RecipientEnforcementProvisioningPolicy", - "id": "80d8b808-c24c-4359-24cf-08d7adfc11e3", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" } }, { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", - "ip": "67.43.156.13" - }, + "@timestamp": "2020-02-07T20:48:42.000Z", "destination": { "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Set-Mailbox", + "category": [ + "web" + ], + "code": "ExchangeAdmin", + "id": "27fdc2ec-edbd-445c-92bd-08d7ac0f1dc6", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:42\",\"ExternalAccess\":true,\"Id\":\"27fdc2ec-edbd-445c-92bd-08d7ac0f1dc6\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"UMGrammar\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"MaxSendSize\",\"Value\":\"1 GB (1,073,741,824 bytes)\"},{\"Name\":\"MailRouting\",\"Value\":\"True\"},{\"Name\":\"MessageTracking\",\"Value\":\"True\"},{\"Name\":\"OMEncryption\",\"Value\":\"True\"},{\"Name\":\"OABGen\",\"Value\":\"True\"},{\"Name\":\"ClientExtensions\",\"Value\":\"True\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}\"},{\"Name\":\"GMGen\",\"Value\":\"True\"},{\"Name\":\"SuiteServiceStorage\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-07T20:48:42", + "ExternalAccess": true, + "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}", "Parameters": { - "MailRouting": "True", - "OABGen": "True", "Arbitration": "True", + "ClientExtensions": "True", "Force": "True", - "OMEncryption": "True", "GMGen": "True", - "ClientExtensions": "True", + "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}", + "MailRouting": "True", "MaxSendSize": "1 GB (1,073,741,824 bytes)", + "MessageTracking": "True", + "OABGen": "True", + "OMEncryption": "True", "SuiteServiceStorage": "True", - "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}", - "UMGrammar": "True", - "MessageTracking": "True" + "UMGrammar": "True" }, - "AppId": "", "RecordType": "1", - "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-07T20:48:42", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-07T20:48:42.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "event": { - "ingested": "2022-01-02T03:49:51.470357986Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:42\",\"ExternalAccess\":true,\"Id\":\"27fdc2ec-edbd-445c-92bd-08d7ac0f1dc6\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"UMGrammar\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"MaxSendSize\",\"Value\":\"1 GB (1,073,741,824 bytes)\"},{\"Name\":\"MailRouting\",\"Value\":\"True\"},{\"Name\":\"MessageTracking\",\"Value\":\"True\"},{\"Name\":\"OMEncryption\",\"Value\":\"True\"},{\"Name\":\"OABGen\",\"Value\":\"True\"},{\"Name\":\"ClientExtensions\",\"Value\":\"True\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}\"},{\"Name\":\"GMGen\",\"Value\":\"True\"},{\"Name\":\"SuiteServiceStorage\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", - "action": "Set-Mailbox", - "id": "27fdc2ec-edbd-445c-92bd-08d7ac0f1dc6", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" } }, { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", - "ip": "67.43.156.13" - }, + "@timestamp": "2020-02-10T07:37:16.000Z", "destination": { "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Set-Mailbox", + "category": [ + "web" + ], + "code": "ExchangeAdmin", + "id": "c6db95ea-9eae-4b58-d692-08d7adfc0d98", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:16\",\"ExternalAccess\":true,\"Id\":\"c6db95ea-9eae-4b58-d692-08d7adfc0d98\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-10T07:37:16", + "ExternalAccess": true, + "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}", "Parameters": { "Arbitration": "True", - "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "Force": "True", - "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", - "SCLQuarantineEnabled": "False", - "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", "HiddenFromAddressListsEnabled": "True", - "UseDatabaseQuotaDefaults": "False", + "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}", + "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "QuarantineMessageStore": "True", "RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", "SCLDeleteEnabled": "False", - "QuarantineMessageStore": "True", - "SCLRejectEnabled": "False", "SCLJunkEnabled": "False", - "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}" + "SCLQuarantineEnabled": "False", + "SCLRejectEnabled": "False", + "UseDatabaseQuotaDefaults": "False" }, - "AppId": "", "RecordType": "1", - "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-10T07:37:16", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-10T07:37:16.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "event": { - "ingested": "2022-01-02T03:49:51.470358842Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:16\",\"ExternalAccess\":true,\"Id\":\"c6db95ea-9eae-4b58-d692-08d7adfc0d98\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{505B6405-958B-45A0-BAAE-76A0D7ACAE83}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", - "action": "Set-Mailbox", - "id": "c6db95ea-9eae-4b58-d692-08d7adfc0d98", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" } }, { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", - "ip": "67.43.156.13" - }, + "@timestamp": "2020-02-07T20:49:52.000Z", "destination": { "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Set-RecipientEnforcementProvisioningPolicy", + "category": [ + "web" + ], + "code": "ExchangeAdmin", + "id": "c706f54e-1b00-43ed-5b06-08d7ac0f47a6", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:52\",\"ExternalAccess\":true,\"Id\":\"c706f54e-1b00-43ed-5b06-08d7ac0f47a6\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Recipient Quota Policy\",\"Operation\":\"Set-RecipientEnforcementProvisioningPolicy\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"IgnoreDehydratedFlag\",\"Value\":\"True\"},{\"Name\":\"Identity\",\"Value\":\"testsiem.onmicrosoft.com\\\\Recipient Quota Policy\"},{\"Name\":\"PublicFolderHierarchyMailboxCountQuota\",\"Value\":\"100\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-07T20:49:52", + "ExternalAccess": true, + "ObjectId": "testsiem.onmicrosoft.com\\Recipient Quota Policy", "Parameters": { "DomainController": "", + "Identity": "testsiem.onmicrosoft.com\\Recipient Quota Policy", "IgnoreDehydratedFlag": "True", - "PublicFolderHierarchyMailboxCountQuota": "100", - "Identity": "testsiem.onmicrosoft.com\\Recipient Quota Policy" + "PublicFolderHierarchyMailboxCountQuota": "100" }, - "AppId": "", "RecordType": "1", - "ObjectId": "testsiem.onmicrosoft.com\\Recipient Quota Policy", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-07T20:49:52", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-07T20:49:52.000Z", + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, + "related": { + "ip": [ + "67.43.156.13" + ] + }, + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" + } + }, + { + "@timestamp": "2020-02-10T07:37:15.000Z", + "destination": { + "ip": "67.43.156.13" + }, "ecs": { "version": "8.0.0" }, - "related": { - "ip": [ - "67.43.156.13" - ] - }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, "event": { - "ingested": "2022-01-02T03:49:51.470362488Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:49:52\",\"ExternalAccess\":true,\"Id\":\"c706f54e-1b00-43ed-5b06-08d7ac0f47a6\",\"ObjectId\":\"testsiem.onmicrosoft.com\\\\Recipient Quota Policy\",\"Operation\":\"Set-RecipientEnforcementProvisioningPolicy\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"DomainController\",\"Value\":\"\"},{\"Name\":\"IgnoreDehydratedFlag\",\"Value\":\"True\"},{\"Name\":\"Identity\",\"Value\":\"testsiem.onmicrosoft.com\\\\Recipient Quota Policy\"},{\"Name\":\"PublicFolderHierarchyMailboxCountQuota\",\"Value\":\"100\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "action": "Set-Mailbox", + "category": [ + "web" + ], "code": "ExchangeAdmin", - "provider": "Exchange", + "id": "fcd82149-fc1c-4866-e16d-08d7adfc0cff", "kind": "event", - "action": "Set-RecipientEnforcementProvisioningPolicy", - "id": "c706f54e-1b00-43ed-5b06-08d7ac0f47a6", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:15\",\"ExternalAccess\":true,\"Id\":\"fcd82149-fc1c-4866-e16d-08d7adfc0cff\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", "type": [ "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, - "user": { - "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" - } - }, - { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", - "ip": "67.43.156.13" + ] }, - "destination": { - "ip": "67.43.156.13" + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, - "tags": [ - "preserve_original_event" - ], "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-10T07:37:15", + "ExternalAccess": true, + "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}", "Parameters": { "Arbitration": "True", - "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "Force": "True", - "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", - "SCLQuarantineEnabled": "False", - "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", "HiddenFromAddressListsEnabled": "True", - "UseDatabaseQuotaDefaults": "False", + "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}", + "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "QuarantineMessageStore": "True", "RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", "SCLDeleteEnabled": "False", - "QuarantineMessageStore": "True", - "SCLRejectEnabled": "False", "SCLJunkEnabled": "False", - "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}" + "SCLQuarantineEnabled": "False", + "SCLRejectEnabled": "False", + "UseDatabaseQuotaDefaults": "False" }, - "AppId": "", "RecordType": "1", - "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-10T07:37:15", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-10T07:37:15.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "event": { - "ingested": "2022-01-02T03:49:51.470363548Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:15\",\"ExternalAccess\":true,\"Id\":\"fcd82149-fc1c-4866-e16d-08d7adfc0cff\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{368F7EFB-D8B2-448B-A304-41EA44801476}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", - "action": "Set-Mailbox", - "id": "fcd82149-fc1c-4866-e16d-08d7adfc0cff", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" } }, { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", - "ip": "67.43.156.13" - }, + "@timestamp": "2020-02-07T20:48:44.000Z", "destination": { "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Set-Mailbox", + "category": [ + "web" + ], + "code": "ExchangeAdmin", + "id": "e79cb83c-25b7-4777-57f0-08d7ac0f1f74", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:44\",\"ExternalAccess\":true,\"Id\":\"e79cb83c-25b7-4777-57f0-08d7ac0f1f74\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"Management\",\"Value\":\"True\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"DisplayName\",\"Value\":\"Microsoft Exchange Migration\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"9 GB (9,663,676,416 bytes)\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"Migration\",\"Value\":\"True\"},{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-07T20:48:44", + "ExternalAccess": true, + "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136", "Parameters": { "Arbitration": "True", - "IssueWarningQuota": "9 GB (9,663,676,416 bytes)", + "DisplayName": "Microsoft Exchange Migration", "Force": "True", - "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", - "ProhibitSendReceiveQuota": "10 GB (10,737,418,240 bytes)", - "SCLQuarantineEnabled": "False", - "Migration": "True", "HiddenFromAddressListsEnabled": "True", - "UseDatabaseQuotaDefaults": "False", + "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136", + "IssueWarningQuota": "9 GB (9,663,676,416 bytes)", "Management": "True", + "Migration": "True", "ProhibitSendQuota": "10 GB (10,737,418,240 bytes)", + "ProhibitSendReceiveQuota": "10 GB (10,737,418,240 bytes)", "RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", "SCLDeleteEnabled": "False", - "SCLRejectEnabled": "False", "SCLJunkEnabled": "False", - "DisplayName": "Microsoft Exchange Migration", - "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136" + "SCLQuarantineEnabled": "False", + "SCLRejectEnabled": "False", + "UseDatabaseQuotaDefaults": "False" }, - "AppId": "", "RecordType": "1", - "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-07T20:48:44", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-07T20:48:44.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "event": { - "ingested": "2022-01-02T03:49:51.470364407Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-07T20:48:44\",\"ExternalAccess\":true,\"Id\":\"e79cb83c-25b7-4777-57f0-08d7ac0f1f74\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"Management\",\"Value\":\"True\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"DisplayName\",\"Value\":\"Microsoft Exchange Migration\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"9 GB (9,663,676,416 bytes)\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"Migration\",\"Value\":\"True\"},{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"10 GB (10,737,418,240 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Migration.8f3e7716-2011-43e4-96b1-aba62d229136\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", - "action": "Set-Mailbox", - "id": "e79cb83c-25b7-4777-57f0-08d7ac0f1f74", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" } }, { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", - "ip": "67.43.156.13" - }, + "@timestamp": "2020-02-10T07:37:16.000Z", "destination": { "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Set-Mailbox", + "category": [ + "web" + ], + "code": "ExchangeAdmin", + "id": "e9e580ee-ac04-436f-9214-08d7adfc0d8b", + "kind": "event", + "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:16\",\"ExternalAccess\":true,\"Id\":\"e9e580ee-ac04-436f-9214-08d7adfc0d8b\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-10T07:37:16", + "ExternalAccess": true, + "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}", "Parameters": { "Arbitration": "True", - "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "Force": "True", - "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", - "SCLQuarantineEnabled": "False", - "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", "HiddenFromAddressListsEnabled": "True", - "UseDatabaseQuotaDefaults": "False", + "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}", + "IssueWarningQuota": "90 GB (96,636,764,160 bytes)", "ProhibitSendQuota": "99 GB (106,300,440,576 bytes)", + "ProhibitSendReceiveQuota": "100 GB (107,374,182,400 bytes)", + "QuarantineMessageStore": "True", "RecoverableItemsQuota": "30 GB (32,212,254,720 bytes)", + "RecoverableItemsWarningQuota": "20 GB (21,474,836,480 bytes)", "SCLDeleteEnabled": "False", - "QuarantineMessageStore": "True", - "SCLRejectEnabled": "False", "SCLJunkEnabled": "False", - "Identity": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}" + "SCLQuarantineEnabled": "False", + "SCLRejectEnabled": "False", + "UseDatabaseQuotaDefaults": "False" }, - "AppId": "", "RecordType": "1", - "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-10T07:37:16", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-10T07:37:16.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "event": { - "ingested": "2022-01-02T03:49:51.470365592Z", - "original": "{\"AppId\":\"\",\"ClientAppId\":\"\",\"CreationTime\":\"2020-02-10T07:37:16\",\"ExternalAccess\":true,\"Id\":\"e9e580ee-ac04-436f-9214-08d7adfc0d8b\",\"ObjectId\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\",\"Operation\":\"Set-Mailbox\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"HE1PR0102MB3228 (67.43.156.13)\",\"Parameters\":[{\"Name\":\"RecoverableItemsQuota\",\"Value\":\"30 GB (32,212,254,720 bytes)\"},{\"Name\":\"Force\",\"Value\":\"True\"},{\"Name\":\"Arbitration\",\"Value\":\"True\"},{\"Name\":\"QuarantineMessageStore\",\"Value\":\"True\"},{\"Name\":\"ProhibitSendQuota\",\"Value\":\"99 GB (106,300,440,576 bytes)\"},{\"Name\":\"HiddenFromAddressListsEnabled\",\"Value\":\"True\"},{\"Name\":\"SCLDeleteEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLQuarantineEnabled\",\"Value\":\"False\"},{\"Name\":\"SCLRejectEnabled\",\"Value\":\"False\"},{\"Name\":\"UseDatabaseQuotaDefaults\",\"Value\":\"False\"},{\"Name\":\"RecoverableItemsWarningQuota\",\"Value\":\"20 GB (21,474,836,480 bytes)\"},{\"Name\":\"IssueWarningQuota\",\"Value\":\"90 GB (96,636,764,160 bytes)\"},{\"Name\":\"Identity\",\"Value\":\"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/QuarantineOrgShard{D5FD6316-0A84-416F-8512-3E97EBAF9B1D}\"},{\"Name\":\"ProhibitSendReceiveQuota\",\"Value\":\"100 GB (107,374,182,400 bytes)\"},{\"Name\":\"SCLJunkEnabled\",\"Value\":\"False\"}],\"RecordType\":1,\"ResultStatus\":\"True\",\"UserId\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserKey\":\"NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\",\"UserType\":3,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", - "action": "Set-Mailbox", - "id": "e9e580ee-ac04-436f-9214-08d7adfc0d8b", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" } diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-exchange-item-events.json-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-exchange-item-events.json-expected.json index af1717725eb..a223e0e438c 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-exchange-item-events.json-expected.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-exchange-item-events.json-expected.json @@ -1,57 +1,73 @@ { "expected": [ { - "server": { - "address": "67.43.156.13", - "domain": "AM6PR01MB4535", - "ip": "67.43.156.13" + "@timestamp": "2020-02-17T17:12:03.000Z", + "client": { + "address": "::1", + "ip": "::1" }, "destination": { "ip": "67.43.156.13" }, - "source": { - "ip": "::1" + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Create", + "category": [ + "web" + ], + "code": "ExchangeItem", + "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", + "kind": "event", + "original": "{\"ClientIP\":\"::1\",\"ClientIPAddress\":\"::1\",\"ClientInfoString\":\"Client=WebServices;Action=ConfigureGroupMailbox\",\"CreationTime\":\"2020-02-17T17:12:03\",\"ExternalAccess\":true,\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\",\"InternalLogonType\":1,\"Item\":{\"Attachments\":\"warming_email_03_2017_calendar.png (599b); warming_email_03_2017_conversation.png (614b); warming_email_03_2017_links.png (1403b); google_play_store_badge.png (4824b); apple_store_badge.png (4446b); windows_store_badge.png (3681b); warming_email_03_2017_files.png (809b); warming_email_03_2017_sharePoint.png (1432b)\",\"Id\":\"RgAAAACklF6sEsJgSK/ulVd531/WBwCzgXIUnq3lQqXFeCmxHwmHAAAAAAEMAACzgXIUnq3lQqXFeCmxHwmHAAAAABULAAAJ\",\"InternetMessageId\":\"\\u003cAM6PR01MB4535D305187FEC8127CF8EDFEE160@AM6PR01MB4535.eurprd01.prod.exchangelabs.com\\u003e\",\"IsRecord\":false,\"ParentFolder\":{\"Id\":\"LgAAAACklF6sEsJgSK/ulVd531/WAQCzgXIUnq3lQqXFeCmxHwmHAAAAAAEMAAAB\",\"Path\":\"\\\\Inbox\"},\"Subject\":\"The new SIEMTest group is ready\"},\"LogonType\":1,\"LogonUserSid\":\"S-1-5-18\",\"MailboxGuid\":\"26286ffa-073d-45ff-9fe9-539891984d69\",\"MailboxOwnerMasterAccountSid\":\"S-1-5-10\",\"MailboxOwnerSid\":\"S-1-5-21-3422892061-1135328251-2670905592-26680073\",\"MailboxOwnerUPN\":\"SIEMTest@testsiem.onmicrosoft.com\",\"Operation\":\"Create\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"AM6PR01MB4535 (67.43.156.13)\\n\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserId\":\"S-1-5-18\",\"UserKey\":\"S-1-5-18\",\"UserType\":2,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, - "tags": [ - "preserve_original_event" - ], "network": { "type": "ipv6" }, "o365": { "audit": { - "MailboxOwnerSid": "S-1-5-21-3422892061-1135328251-2670905592-26680073", - "ResultStatus": "Succeeded", - "UserKey": "S-1-5-18", - "ExternalAccess": true, - "LogonType": "1", - "MailboxGuid": "26286ffa-073d-45ff-9fe9-539891984d69", "ClientIP": "::1", + "ClientInfoString": "Client=WebServices;Action=ConfigureGroupMailbox", + "CreationTime": "2020-02-17T17:12:03", + "ExternalAccess": true, + "InternalLogonType": "1", "Item": { - "Id": "RgAAAACklF6sEsJgSK/ulVd531/WBwCzgXIUnq3lQqXFeCmxHwmHAAAAAAEMAACzgXIUnq3lQqXFeCmxHwmHAAAAABULAAAJ", "Attachments": "warming_email_03_2017_calendar.png (599b); warming_email_03_2017_conversation.png (614b); warming_email_03_2017_links.png (1403b); google_play_store_badge.png (4824b); apple_store_badge.png (4446b); windows_store_badge.png (3681b); warming_email_03_2017_files.png (809b); warming_email_03_2017_sharePoint.png (1432b)", - "ParentFolder": { - "Path": "\\Inbox", - "Id": "LgAAAACklF6sEsJgSK/ulVd531/WAQCzgXIUnq3lQqXFeCmxHwmHAAAAAAEMAAAB" - }, + "Id": "RgAAAACklF6sEsJgSK/ulVd531/WBwCzgXIUnq3lQqXFeCmxHwmHAAAAAAEMAACzgXIUnq3lQqXFeCmxHwmHAAAAABULAAAJ", "InternetMessageId": "\u003cAM6PR01MB4535D305187FEC8127CF8EDFEE160@AM6PR01MB4535.eurprd01.prod.exchangelabs.com\u003e", "IsRecord": false, + "ParentFolder": { + "Id": "LgAAAACklF6sEsJgSK/ulVd531/WAQCzgXIUnq3lQqXFeCmxHwmHAAAAAAEMAAAB", + "Path": "\\Inbox" + }, "Subject": "The new SIEMTest group is ready" }, - "InternalLogonType": "1", + "LogonType": "1", "LogonUserSid": "S-1-5-18", + "MailboxGuid": "26286ffa-073d-45ff-9fe9-539891984d69", + "MailboxOwnerMasterAccountSid": "S-1-5-10", + "MailboxOwnerSid": "S-1-5-21-3422892061-1135328251-2670905592-26680073", "RecordType": "2", - "Version": "1", - "ClientInfoString": "Client=WebServices;Action=ConfigureGroupMailbox", + "ResultStatus": "Succeeded", "UserId": "S-1-5-18", - "CreationTime": "2020-02-17T17:12:03", + "UserKey": "S-1-5-18", "UserType": "2", - "MailboxOwnerMasterAccountSid": "S-1-5-10" + "Version": "1" } }, - "@timestamp": "2020-02-17T17:12:03.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ @@ -59,91 +75,90 @@ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "server": { + "address": "67.43.156.13", + "domain": "AM6PR01MB4535", + "ip": "67.43.156.13" }, - "client": { - "address": "::1", + "source": { "ip": "::1" }, - "event": { - "ingested": "2022-01-02T03:50:19.559667745Z", - "original": "{\"ClientIP\":\"::1\",\"ClientIPAddress\":\"::1\",\"ClientInfoString\":\"Client=WebServices;Action=ConfigureGroupMailbox\",\"CreationTime\":\"2020-02-17T17:12:03\",\"ExternalAccess\":true,\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\",\"InternalLogonType\":1,\"Item\":{\"Attachments\":\"warming_email_03_2017_calendar.png (599b); warming_email_03_2017_conversation.png (614b); warming_email_03_2017_links.png (1403b); google_play_store_badge.png (4824b); apple_store_badge.png (4446b); windows_store_badge.png (3681b); warming_email_03_2017_files.png (809b); warming_email_03_2017_sharePoint.png (1432b)\",\"Id\":\"RgAAAACklF6sEsJgSK/ulVd531/WBwCzgXIUnq3lQqXFeCmxHwmHAAAAAAEMAACzgXIUnq3lQqXFeCmxHwmHAAAAABULAAAJ\",\"InternetMessageId\":\"\\u003cAM6PR01MB4535D305187FEC8127CF8EDFEE160@AM6PR01MB4535.eurprd01.prod.exchangelabs.com\\u003e\",\"IsRecord\":false,\"ParentFolder\":{\"Id\":\"LgAAAACklF6sEsJgSK/ulVd531/WAQCzgXIUnq3lQqXFeCmxHwmHAAAAAAEMAAAB\",\"Path\":\"\\\\Inbox\"},\"Subject\":\"The new SIEMTest group is ready\"},\"LogonType\":1,\"LogonUserSid\":\"S-1-5-18\",\"MailboxGuid\":\"26286ffa-073d-45ff-9fe9-539891984d69\",\"MailboxOwnerMasterAccountSid\":\"S-1-5-10\",\"MailboxOwnerSid\":\"S-1-5-21-3422892061-1135328251-2670905592-26680073\",\"MailboxOwnerUPN\":\"SIEMTest@testsiem.onmicrosoft.com\",\"Operation\":\"Create\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"AM6PR01MB4535 (67.43.156.13)\\n\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserId\":\"S-1-5-18\",\"UserKey\":\"S-1-5-18\",\"UserType\":2,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeItem", - "provider": "Exchange", - "kind": "event", - "action": "Create", - "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { "email": "SIEMTest@testsiem.onmicrosoft.com", "id": "S-1-5-18" } }, { - "server": { - "address": "67.43.156.13", - "domain": "DB3PR0102MB3500", - "ip": "67.43.156.13" + "@timestamp": "2020-02-17T08:53:46.000Z", + "client": { + "address": "::1", + "ip": "::1" }, "destination": { "ip": "67.43.156.13" }, - "source": { - "ip": "::1" + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Create", + "category": [ + "web" + ], + "code": "ExchangeItem", + "id": "c0790552-9989-4e91-cba4-08d7b386e642", + "kind": "event", + "original": "{\"ClientIP\":\"::1\",\"ClientIPAddress\":\"::1\",\"ClientInfoString\":\"Client=WebServices;Action=ConfigureGroupMailbox\",\"CreationTime\":\"2020-02-17T08:53:46\",\"ExternalAccess\":true,\"Id\":\"c0790552-9989-4e91-cba4-08d7b386e642\",\"InternalLogonType\":1,\"Item\":{\"Attachments\":\"warming_email_03_2017_calendar.png (598b); warming_email_03_2017_conversation.png (613b); warming_email_03_2017_links.png (1402b); google_play_store_badge.png (4823b); apple_store_badge.png (4445b); windows_store_badge.png (3680b); warming_email_03_2017_files.png (808b); warming_email_03_2017_sharePoint.png (1431b)\",\"Id\":\"RgAAAABQ7FIOAzxlR4hKCRQRbTbvBwBTdQb34omtRrZGvP+4ONQkAAAAAAEMAABTdQb34omtRrZGvP+4ONQkAAAAAA0lAAAJ\",\"InternetMessageId\":\"\\u003cDB3PR0102MB35003D203E5553CBC1B8AAEAE2160@DB3PR0102MB3500.eurprd01.prod.exchangelabs.com\\u003e\",\"IsRecord\":false,\"ParentFolder\":{\"Id\":\"LgAAAABQ7FIOAzxlR4hKCRQRbTbvAQBTdQb34omtRrZGvP+4ONQkAAAAAAEMAAAB\",\"Path\":\"\\\\Inbox\"},\"Subject\":\"The new All Company group is ready\"},\"LogonType\":1,\"LogonUserSid\":\"S-1-5-18\",\"MailboxGuid\":\"778e6fd9-b5d5-4431-a10f-245bde6e0cb8\",\"MailboxOwnerMasterAccountSid\":\"S-1-5-10\",\"MailboxOwnerSid\":\"S-1-5-21-3422892061-1135328251-2670905592-26679883\",\"MailboxOwnerUPN\":\"AllCompany.4529848321.eqpfynvc@testsiem.onmicrosoft.com\",\"Operation\":\"Create\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"DB3PR0102MB3500 (67.43.156.13)\\n\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserId\":\"S-1-5-18\",\"UserKey\":\"S-1-5-18\",\"UserType\":2,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, - "tags": [ - "preserve_original_event" - ], "network": { "type": "ipv6" }, "o365": { "audit": { - "MailboxOwnerSid": "S-1-5-21-3422892061-1135328251-2670905592-26679883", - "ResultStatus": "Succeeded", - "UserKey": "S-1-5-18", - "ExternalAccess": true, - "LogonType": "1", - "MailboxGuid": "778e6fd9-b5d5-4431-a10f-245bde6e0cb8", "ClientIP": "::1", + "ClientInfoString": "Client=WebServices;Action=ConfigureGroupMailbox", + "CreationTime": "2020-02-17T08:53:46", + "ExternalAccess": true, + "InternalLogonType": "1", "Item": { - "Id": "RgAAAABQ7FIOAzxlR4hKCRQRbTbvBwBTdQb34omtRrZGvP+4ONQkAAAAAAEMAABTdQb34omtRrZGvP+4ONQkAAAAAA0lAAAJ", "Attachments": "warming_email_03_2017_calendar.png (598b); warming_email_03_2017_conversation.png (613b); warming_email_03_2017_links.png (1402b); google_play_store_badge.png (4823b); apple_store_badge.png (4445b); windows_store_badge.png (3680b); warming_email_03_2017_files.png (808b); warming_email_03_2017_sharePoint.png (1431b)", - "ParentFolder": { - "Path": "\\Inbox", - "Id": "LgAAAABQ7FIOAzxlR4hKCRQRbTbvAQBTdQb34omtRrZGvP+4ONQkAAAAAAEMAAAB" - }, + "Id": "RgAAAABQ7FIOAzxlR4hKCRQRbTbvBwBTdQb34omtRrZGvP+4ONQkAAAAAAEMAABTdQb34omtRrZGvP+4ONQkAAAAAA0lAAAJ", "InternetMessageId": "\u003cDB3PR0102MB35003D203E5553CBC1B8AAEAE2160@DB3PR0102MB3500.eurprd01.prod.exchangelabs.com\u003e", "IsRecord": false, + "ParentFolder": { + "Id": "LgAAAABQ7FIOAzxlR4hKCRQRbTbvAQBTdQb34omtRrZGvP+4ONQkAAAAAAEMAAAB", + "Path": "\\Inbox" + }, "Subject": "The new All Company group is ready" }, - "InternalLogonType": "1", + "LogonType": "1", "LogonUserSid": "S-1-5-18", + "MailboxGuid": "778e6fd9-b5d5-4431-a10f-245bde6e0cb8", + "MailboxOwnerMasterAccountSid": "S-1-5-10", + "MailboxOwnerSid": "S-1-5-21-3422892061-1135328251-2670905592-26679883", "RecordType": "2", - "Version": "1", - "ClientInfoString": "Client=WebServices;Action=ConfigureGroupMailbox", + "ResultStatus": "Succeeded", "UserId": "S-1-5-18", - "CreationTime": "2020-02-17T08:53:46", + "UserKey": "S-1-5-18", "UserType": "2", - "MailboxOwnerMasterAccountSid": "S-1-5-10" + "Version": "1" } }, - "@timestamp": "2020-02-17T08:53:46.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ @@ -151,91 +166,90 @@ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "server": { + "address": "67.43.156.13", + "domain": "DB3PR0102MB3500", + "ip": "67.43.156.13" }, - "client": { - "address": "::1", + "source": { "ip": "::1" }, - "event": { - "ingested": "2022-01-02T03:50:19.559670056Z", - "original": "{\"ClientIP\":\"::1\",\"ClientIPAddress\":\"::1\",\"ClientInfoString\":\"Client=WebServices;Action=ConfigureGroupMailbox\",\"CreationTime\":\"2020-02-17T08:53:46\",\"ExternalAccess\":true,\"Id\":\"c0790552-9989-4e91-cba4-08d7b386e642\",\"InternalLogonType\":1,\"Item\":{\"Attachments\":\"warming_email_03_2017_calendar.png (598b); warming_email_03_2017_conversation.png (613b); warming_email_03_2017_links.png (1402b); google_play_store_badge.png (4823b); apple_store_badge.png (4445b); windows_store_badge.png (3680b); warming_email_03_2017_files.png (808b); warming_email_03_2017_sharePoint.png (1431b)\",\"Id\":\"RgAAAABQ7FIOAzxlR4hKCRQRbTbvBwBTdQb34omtRrZGvP+4ONQkAAAAAAEMAABTdQb34omtRrZGvP+4ONQkAAAAAA0lAAAJ\",\"InternetMessageId\":\"\\u003cDB3PR0102MB35003D203E5553CBC1B8AAEAE2160@DB3PR0102MB3500.eurprd01.prod.exchangelabs.com\\u003e\",\"IsRecord\":false,\"ParentFolder\":{\"Id\":\"LgAAAABQ7FIOAzxlR4hKCRQRbTbvAQBTdQb34omtRrZGvP+4ONQkAAAAAAEMAAAB\",\"Path\":\"\\\\Inbox\"},\"Subject\":\"The new All Company group is ready\"},\"LogonType\":1,\"LogonUserSid\":\"S-1-5-18\",\"MailboxGuid\":\"778e6fd9-b5d5-4431-a10f-245bde6e0cb8\",\"MailboxOwnerMasterAccountSid\":\"S-1-5-10\",\"MailboxOwnerSid\":\"S-1-5-21-3422892061-1135328251-2670905592-26679883\",\"MailboxOwnerUPN\":\"AllCompany.4529848321.eqpfynvc@testsiem.onmicrosoft.com\",\"Operation\":\"Create\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"DB3PR0102MB3500 (67.43.156.13)\\n\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserId\":\"S-1-5-18\",\"UserKey\":\"S-1-5-18\",\"UserType\":2,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeItem", - "provider": "Exchange", - "kind": "event", - "action": "Create", - "id": "c0790552-9989-4e91-cba4-08d7b386e642", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { "email": "AllCompany.4529848321.eqpfynvc@testsiem.onmicrosoft.com", "id": "S-1-5-18" } }, { - "server": { - "address": "67.43.156.13", - "domain": "DB7PR01MB4428", - "ip": "67.43.156.13" + "@timestamp": "2020-02-17T08:53:31.000Z", + "client": { + "address": "::1", + "ip": "::1" }, "destination": { "ip": "67.43.156.13" }, - "source": { - "ip": "::1" + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Create", + "category": [ + "web" + ], + "code": "ExchangeItem", + "id": "c6b58ed7-a54a-47cf-a301-08d7b386dd7c", + "kind": "event", + "original": "{\"ClientIP\":\"::1\",\"ClientIPAddress\":\"::1\",\"ClientInfoString\":\"Client=WebServices;Action=ConfigureGroupMailbox\",\"CreationTime\":\"2020-02-17T08:53:31\",\"ExternalAccess\":true,\"Id\":\"c6b58ed7-a54a-47cf-a301-08d7b386dd7c\",\"InternalLogonType\":1,\"Item\":{\"Attachments\":\"warming_email_03_2017_calendar.png (598b); warming_email_03_2017_conversation.png (613b); warming_email_03_2017_links.png (1402b); google_play_store_badge.png (4823b); apple_store_badge.png (4445b); windows_store_badge.png (3680b); warming_email_03_2017_files.png (808b); warming_email_03_2017_sharePoint.png (1431b)\",\"Id\":\"RgAAAABkkJvTy6NaRYV8EL+vMtzZBwAk6unHVumCRJNhRrAMRwYLAAAAAAEMAAAk6unHVumCRJNhRrAMRwYLAAAAAAk9AAAJ\",\"InternetMessageId\":\"\\u003cDB7PR01MB442884FC2132AE2A909799BAFC160@DB7PR01MB4428.eurprd01.prod.exchangelabs.com\\u003e\",\"IsRecord\":false,\"ParentFolder\":{\"Id\":\"LgAAAABkkJvTy6NaRYV8EL+vMtzZAQAk6unHVumCRJNhRrAMRwYLAAAAAAEMAAAB\",\"Path\":\"\\\\Inbox\"},\"Subject\":\"The new All Company group is ready\"},\"LogonType\":1,\"LogonUserSid\":\"S-1-5-18\",\"MailboxGuid\":\"685170f5-2238-470d-824b-239a02afafbd\",\"MailboxOwnerMasterAccountSid\":\"S-1-5-10\",\"MailboxOwnerSid\":\"S-1-5-21-3422892061-1135328251-2670905592-26679882\",\"MailboxOwnerUPN\":\"AllCompany.4529848321.sqtielgo@testsiem.onmicrosoft.com\",\"Operation\":\"Create\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"DB7PR01MB4428 (67.43.156.13)\\n\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserId\":\"S-1-5-18\",\"UserKey\":\"S-1-5-18\",\"UserType\":2,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, - "tags": [ - "preserve_original_event" - ], "network": { "type": "ipv6" }, "o365": { "audit": { - "MailboxOwnerSid": "S-1-5-21-3422892061-1135328251-2670905592-26679882", - "ResultStatus": "Succeeded", - "UserKey": "S-1-5-18", - "ExternalAccess": true, - "LogonType": "1", - "MailboxGuid": "685170f5-2238-470d-824b-239a02afafbd", "ClientIP": "::1", + "ClientInfoString": "Client=WebServices;Action=ConfigureGroupMailbox", + "CreationTime": "2020-02-17T08:53:31", + "ExternalAccess": true, + "InternalLogonType": "1", "Item": { - "Id": "RgAAAABkkJvTy6NaRYV8EL+vMtzZBwAk6unHVumCRJNhRrAMRwYLAAAAAAEMAAAk6unHVumCRJNhRrAMRwYLAAAAAAk9AAAJ", "Attachments": "warming_email_03_2017_calendar.png (598b); warming_email_03_2017_conversation.png (613b); warming_email_03_2017_links.png (1402b); google_play_store_badge.png (4823b); apple_store_badge.png (4445b); windows_store_badge.png (3680b); warming_email_03_2017_files.png (808b); warming_email_03_2017_sharePoint.png (1431b)", - "ParentFolder": { - "Path": "\\Inbox", - "Id": "LgAAAABkkJvTy6NaRYV8EL+vMtzZAQAk6unHVumCRJNhRrAMRwYLAAAAAAEMAAAB" - }, + "Id": "RgAAAABkkJvTy6NaRYV8EL+vMtzZBwAk6unHVumCRJNhRrAMRwYLAAAAAAEMAAAk6unHVumCRJNhRrAMRwYLAAAAAAk9AAAJ", "InternetMessageId": "\u003cDB7PR01MB442884FC2132AE2A909799BAFC160@DB7PR01MB4428.eurprd01.prod.exchangelabs.com\u003e", "IsRecord": false, + "ParentFolder": { + "Id": "LgAAAABkkJvTy6NaRYV8EL+vMtzZAQAk6unHVumCRJNhRrAMRwYLAAAAAAEMAAAB", + "Path": "\\Inbox" + }, "Subject": "The new All Company group is ready" }, - "InternalLogonType": "1", + "LogonType": "1", "LogonUserSid": "S-1-5-18", + "MailboxGuid": "685170f5-2238-470d-824b-239a02afafbd", + "MailboxOwnerMasterAccountSid": "S-1-5-10", + "MailboxOwnerSid": "S-1-5-21-3422892061-1135328251-2670905592-26679882", "RecordType": "2", - "Version": "1", - "ClientInfoString": "Client=WebServices;Action=ConfigureGroupMailbox", + "ResultStatus": "Succeeded", "UserId": "S-1-5-18", - "CreationTime": "2020-02-17T08:53:31", + "UserKey": "S-1-5-18", "UserType": "2", - "MailboxOwnerMasterAccountSid": "S-1-5-10" + "Version": "1" } }, - "@timestamp": "2020-02-17T08:53:31.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ @@ -243,91 +257,90 @@ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "server": { + "address": "67.43.156.13", + "domain": "DB7PR01MB4428", + "ip": "67.43.156.13" }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "source": { + "ip": "::1" }, + "tags": [ + "preserve_original_event" + ], + "user": { + "email": "AllCompany.4529848321.sqtielgo@testsiem.onmicrosoft.com", + "id": "S-1-5-18" + } + }, + { + "@timestamp": "2020-02-17T08:53:41.000Z", "client": { "address": "::1", "ip": "::1" }, + "destination": { + "ip": "67.43.156.13" + }, + "ecs": { + "version": "8.0.0" + }, "event": { - "ingested": "2022-01-02T03:50:19.559671099Z", - "original": "{\"ClientIP\":\"::1\",\"ClientIPAddress\":\"::1\",\"ClientInfoString\":\"Client=WebServices;Action=ConfigureGroupMailbox\",\"CreationTime\":\"2020-02-17T08:53:31\",\"ExternalAccess\":true,\"Id\":\"c6b58ed7-a54a-47cf-a301-08d7b386dd7c\",\"InternalLogonType\":1,\"Item\":{\"Attachments\":\"warming_email_03_2017_calendar.png (598b); warming_email_03_2017_conversation.png (613b); warming_email_03_2017_links.png (1402b); google_play_store_badge.png (4823b); apple_store_badge.png (4445b); windows_store_badge.png (3680b); warming_email_03_2017_files.png (808b); warming_email_03_2017_sharePoint.png (1431b)\",\"Id\":\"RgAAAABkkJvTy6NaRYV8EL+vMtzZBwAk6unHVumCRJNhRrAMRwYLAAAAAAEMAAAk6unHVumCRJNhRrAMRwYLAAAAAAk9AAAJ\",\"InternetMessageId\":\"\\u003cDB7PR01MB442884FC2132AE2A909799BAFC160@DB7PR01MB4428.eurprd01.prod.exchangelabs.com\\u003e\",\"IsRecord\":false,\"ParentFolder\":{\"Id\":\"LgAAAABkkJvTy6NaRYV8EL+vMtzZAQAk6unHVumCRJNhRrAMRwYLAAAAAAEMAAAB\",\"Path\":\"\\\\Inbox\"},\"Subject\":\"The new All Company group is ready\"},\"LogonType\":1,\"LogonUserSid\":\"S-1-5-18\",\"MailboxGuid\":\"685170f5-2238-470d-824b-239a02afafbd\",\"MailboxOwnerMasterAccountSid\":\"S-1-5-10\",\"MailboxOwnerSid\":\"S-1-5-21-3422892061-1135328251-2670905592-26679882\",\"MailboxOwnerUPN\":\"AllCompany.4529848321.sqtielgo@testsiem.onmicrosoft.com\",\"Operation\":\"Create\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"DB7PR01MB4428 (67.43.156.13)\\n\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserId\":\"S-1-5-18\",\"UserKey\":\"S-1-5-18\",\"UserType\":2,\"Version\":1,\"Workload\":\"Exchange\"}", + "action": "ModifyFolderPermissions", + "category": [ + "web" + ], "code": "ExchangeItem", - "provider": "Exchange", + "id": "815684be-4e52-4cb2-9242-08d7b386e333", "kind": "event", - "action": "Create", - "id": "c6b58ed7-a54a-47cf-a301-08d7b386dd7c", + "original": "{\"ClientIP\":\"::1\",\"ClientIPAddress\":\"::1\",\"ClientInfoString\":\"Client=WebServices;Action=ConfigureGroupMailbox\",\"CreationTime\":\"2020-02-17T08:53:41\",\"ExternalAccess\":true,\"Id\":\"815684be-4e52-4cb2-9242-08d7b386e333\",\"InternalLogonType\":1,\"Item\":{\"Id\":\"LgAAAABQ7FIOAzxlR4hKCRQRbTbvAQBTdQb34omtRrZGvP+4ONQkAAAAAAENAAAC\",\"ParentFolder\":{\"Id\":\"LgAAAABQ7FIOAzxlR4hKCRQRbTbvAQBTdQb34omtRrZGvP+4ONQkAAAAAAENAAAC\",\"MemberRights\":\"ReadAny, Visible, FreeBusySimple, FreeBusyDetailed\",\"MemberSid\":\"S-1-8-2005823449-1144108501-1529089953-3087822558-1\",\"MemberUpn\":\"Member@local\",\"Name\":\"Calendar\",\"Path\":\"\\\\Calendar\"}},\"LogonType\":1,\"LogonUserSid\":\"S-1-5-18\",\"MailboxGuid\":\"778e6fd9-b5d5-4431-a10f-245bde6e0cb8\",\"MailboxOwnerMasterAccountSid\":\"S-1-5-10\",\"MailboxOwnerSid\":\"S-1-5-21-3422892061-1135328251-2670905592-26679883\",\"MailboxOwnerUPN\":\"AllCompany.4529848321.eqpfynvc@testsiem.onmicrosoft.com\",\"Operation\":\"ModifyFolderPermissions\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"DB3PR0102MB3500 (67.43.156.13)\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserId\":\"S-1-5-18\",\"UserKey\":\"S-1-5-18\",\"UserType\":2,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", "type": [ "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, - "user": { - "email": "AllCompany.4529848321.sqtielgo@testsiem.onmicrosoft.com", - "id": "S-1-5-18" - } - }, - { - "server": { - "address": "67.43.156.13", - "domain": "DB3PR0102MB3500", - "ip": "67.43.156.13" - }, - "destination": { - "ip": "67.43.156.13" + ] }, - "source": { - "ip": "::1" + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, - "tags": [ - "preserve_original_event" - ], "network": { "type": "ipv6" }, "o365": { "audit": { - "MailboxOwnerSid": "S-1-5-21-3422892061-1135328251-2670905592-26679883", - "ResultStatus": "Succeeded", - "UserKey": "S-1-5-18", - "ExternalAccess": true, - "LogonType": "1", - "MailboxGuid": "778e6fd9-b5d5-4431-a10f-245bde6e0cb8", "ClientIP": "::1", + "ClientInfoString": "Client=WebServices;Action=ConfigureGroupMailbox", + "CreationTime": "2020-02-17T08:53:41", + "ExternalAccess": true, + "InternalLogonType": "1", "Item": { + "Id": "LgAAAABQ7FIOAzxlR4hKCRQRbTbvAQBTdQb34omtRrZGvP+4ONQkAAAAAAENAAAC", "ParentFolder": { - "Path": "\\Calendar", - "MemberRights": "ReadAny, Visible, FreeBusySimple, FreeBusyDetailed", "Id": "LgAAAABQ7FIOAzxlR4hKCRQRbTbvAQBTdQb34omtRrZGvP+4ONQkAAAAAAENAAAC", - "MemberUpn": "Member@local", + "MemberRights": "ReadAny, Visible, FreeBusySimple, FreeBusyDetailed", "MemberSid": "S-1-8-2005823449-1144108501-1529089953-3087822558-1", - "Name": "Calendar" - }, - "Id": "LgAAAABQ7FIOAzxlR4hKCRQRbTbvAQBTdQb34omtRrZGvP+4ONQkAAAAAAENAAAC" + "MemberUpn": "Member@local", + "Name": "Calendar", + "Path": "\\Calendar" + } }, - "InternalLogonType": "1", + "LogonType": "1", "LogonUserSid": "S-1-5-18", + "MailboxGuid": "778e6fd9-b5d5-4431-a10f-245bde6e0cb8", + "MailboxOwnerMasterAccountSid": "S-1-5-10", + "MailboxOwnerSid": "S-1-5-21-3422892061-1135328251-2670905592-26679883", "RecordType": "2", - "Version": "1", - "ClientInfoString": "Client=WebServices;Action=ConfigureGroupMailbox", + "ResultStatus": "Succeeded", "UserId": "S-1-5-18", - "CreationTime": "2020-02-17T08:53:41", + "UserKey": "S-1-5-18", "UserType": "2", - "MailboxOwnerMasterAccountSid": "S-1-5-10" + "Version": "1" } }, - "@timestamp": "2020-02-17T08:53:41.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ @@ -335,91 +348,90 @@ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "server": { + "address": "67.43.156.13", + "domain": "DB3PR0102MB3500", + "ip": "67.43.156.13" }, - "client": { - "address": "::1", + "source": { "ip": "::1" }, - "event": { - "ingested": "2022-01-02T03:50:19.559671981Z", - "original": "{\"ClientIP\":\"::1\",\"ClientIPAddress\":\"::1\",\"ClientInfoString\":\"Client=WebServices;Action=ConfigureGroupMailbox\",\"CreationTime\":\"2020-02-17T08:53:41\",\"ExternalAccess\":true,\"Id\":\"815684be-4e52-4cb2-9242-08d7b386e333\",\"InternalLogonType\":1,\"Item\":{\"Id\":\"LgAAAABQ7FIOAzxlR4hKCRQRbTbvAQBTdQb34omtRrZGvP+4ONQkAAAAAAENAAAC\",\"ParentFolder\":{\"Id\":\"LgAAAABQ7FIOAzxlR4hKCRQRbTbvAQBTdQb34omtRrZGvP+4ONQkAAAAAAENAAAC\",\"MemberRights\":\"ReadAny, Visible, FreeBusySimple, FreeBusyDetailed\",\"MemberSid\":\"S-1-8-2005823449-1144108501-1529089953-3087822558-1\",\"MemberUpn\":\"Member@local\",\"Name\":\"Calendar\",\"Path\":\"\\\\Calendar\"}},\"LogonType\":1,\"LogonUserSid\":\"S-1-5-18\",\"MailboxGuid\":\"778e6fd9-b5d5-4431-a10f-245bde6e0cb8\",\"MailboxOwnerMasterAccountSid\":\"S-1-5-10\",\"MailboxOwnerSid\":\"S-1-5-21-3422892061-1135328251-2670905592-26679883\",\"MailboxOwnerUPN\":\"AllCompany.4529848321.eqpfynvc@testsiem.onmicrosoft.com\",\"Operation\":\"ModifyFolderPermissions\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"DB3PR0102MB3500 (67.43.156.13)\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserId\":\"S-1-5-18\",\"UserKey\":\"S-1-5-18\",\"UserType\":2,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeItem", - "provider": "Exchange", - "kind": "event", - "action": "ModifyFolderPermissions", - "id": "815684be-4e52-4cb2-9242-08d7b386e333", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { "email": "AllCompany.4529848321.eqpfynvc@testsiem.onmicrosoft.com", "id": "S-1-5-18" } }, { - "server": { - "address": "67.43.156.13", - "domain": "DB7PR01MB4428", - "ip": "67.43.156.13" + "@timestamp": "2020-02-17T08:53:22.000Z", + "client": { + "address": "::1", + "ip": "::1" }, "destination": { "ip": "67.43.156.13" }, - "source": { - "ip": "::1" + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "ModifyFolderPermissions", + "category": [ + "web" + ], + "code": "ExchangeItem", + "id": "f5b56c26-18aa-4984-822e-08d7b386d7e2", + "kind": "event", + "original": "{\"ClientIP\":\"::1\",\"ClientIPAddress\":\"::1\",\"ClientInfoString\":\"Client=WebServices;Action=ConfigureGroupMailbox\",\"CreationTime\":\"2020-02-17T08:53:22\",\"ExternalAccess\":true,\"Id\":\"f5b56c26-18aa-4984-822e-08d7b386d7e2\",\"InternalLogonType\":1,\"Item\":{\"Id\":\"LgAAAABkkJvTy6NaRYV8EL+vMtzZAQAk6unHVumCRJNhRrAMRwYLAAAAAAENAAAC\",\"ParentFolder\":{\"Id\":\"LgAAAABkkJvTy6NaRYV8EL+vMtzZAQAk6unHVumCRJNhRrAMRwYLAAAAAAENAAAC\",\"MemberRights\":\"ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed\",\"MemberSid\":\"S-1-8-1750167797-1192043064-2586004354-3182407426-0\",\"MemberUpn\":\"Owner@local\",\"Name\":\"Calendar\",\"Path\":\"\\\\Calendar\"}},\"LogonType\":1,\"LogonUserSid\":\"S-1-5-18\",\"MailboxGuid\":\"685170f5-2238-470d-824b-239a02afafbd\",\"MailboxOwnerMasterAccountSid\":\"S-1-5-10\",\"MailboxOwnerSid\":\"S-1-5-21-3422892061-1135328251-2670905592-26679882\",\"MailboxOwnerUPN\":\"AllCompany.4529848321.sqtielgo@testsiem.onmicrosoft.com\",\"Operation\":\"ModifyFolderPermissions\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"DB7PR01MB4428 (67.43.156.13)\\n\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserId\":\"S-1-5-18\",\"UserKey\":\"S-1-5-18\",\"UserType\":2,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, - "tags": [ - "preserve_original_event" - ], "network": { "type": "ipv6" }, "o365": { "audit": { - "MailboxOwnerSid": "S-1-5-21-3422892061-1135328251-2670905592-26679882", - "ResultStatus": "Succeeded", - "UserKey": "S-1-5-18", - "ExternalAccess": true, - "LogonType": "1", - "MailboxGuid": "685170f5-2238-470d-824b-239a02afafbd", "ClientIP": "::1", + "ClientInfoString": "Client=WebServices;Action=ConfigureGroupMailbox", + "CreationTime": "2020-02-17T08:53:22", + "ExternalAccess": true, + "InternalLogonType": "1", "Item": { + "Id": "LgAAAABkkJvTy6NaRYV8EL+vMtzZAQAk6unHVumCRJNhRrAMRwYLAAAAAAENAAAC", "ParentFolder": { - "Path": "\\Calendar", - "MemberRights": "ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed", "Id": "LgAAAABkkJvTy6NaRYV8EL+vMtzZAQAk6unHVumCRJNhRrAMRwYLAAAAAAENAAAC", - "MemberUpn": "Owner@local", + "MemberRights": "ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed", "MemberSid": "S-1-8-1750167797-1192043064-2586004354-3182407426-0", - "Name": "Calendar" - }, - "Id": "LgAAAABkkJvTy6NaRYV8EL+vMtzZAQAk6unHVumCRJNhRrAMRwYLAAAAAAENAAAC" + "MemberUpn": "Owner@local", + "Name": "Calendar", + "Path": "\\Calendar" + } }, - "InternalLogonType": "1", + "LogonType": "1", "LogonUserSid": "S-1-5-18", + "MailboxGuid": "685170f5-2238-470d-824b-239a02afafbd", + "MailboxOwnerMasterAccountSid": "S-1-5-10", + "MailboxOwnerSid": "S-1-5-21-3422892061-1135328251-2670905592-26679882", "RecordType": "2", - "Version": "1", - "ClientInfoString": "Client=WebServices;Action=ConfigureGroupMailbox", + "ResultStatus": "Succeeded", "UserId": "S-1-5-18", - "CreationTime": "2020-02-17T08:53:22", + "UserKey": "S-1-5-18", "UserType": "2", - "MailboxOwnerMasterAccountSid": "S-1-5-10" + "Version": "1" } }, - "@timestamp": "2020-02-17T08:53:22.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ @@ -427,91 +439,90 @@ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "server": { + "address": "67.43.156.13", + "domain": "DB7PR01MB4428", + "ip": "67.43.156.13" }, - "client": { - "address": "::1", + "source": { "ip": "::1" }, - "event": { - "ingested": "2022-01-02T03:50:19.559672817Z", - "original": "{\"ClientIP\":\"::1\",\"ClientIPAddress\":\"::1\",\"ClientInfoString\":\"Client=WebServices;Action=ConfigureGroupMailbox\",\"CreationTime\":\"2020-02-17T08:53:22\",\"ExternalAccess\":true,\"Id\":\"f5b56c26-18aa-4984-822e-08d7b386d7e2\",\"InternalLogonType\":1,\"Item\":{\"Id\":\"LgAAAABkkJvTy6NaRYV8EL+vMtzZAQAk6unHVumCRJNhRrAMRwYLAAAAAAENAAAC\",\"ParentFolder\":{\"Id\":\"LgAAAABkkJvTy6NaRYV8EL+vMtzZAQAk6unHVumCRJNhRrAMRwYLAAAAAAENAAAC\",\"MemberRights\":\"ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed\",\"MemberSid\":\"S-1-8-1750167797-1192043064-2586004354-3182407426-0\",\"MemberUpn\":\"Owner@local\",\"Name\":\"Calendar\",\"Path\":\"\\\\Calendar\"}},\"LogonType\":1,\"LogonUserSid\":\"S-1-5-18\",\"MailboxGuid\":\"685170f5-2238-470d-824b-239a02afafbd\",\"MailboxOwnerMasterAccountSid\":\"S-1-5-10\",\"MailboxOwnerSid\":\"S-1-5-21-3422892061-1135328251-2670905592-26679882\",\"MailboxOwnerUPN\":\"AllCompany.4529848321.sqtielgo@testsiem.onmicrosoft.com\",\"Operation\":\"ModifyFolderPermissions\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"DB7PR01MB4428 (67.43.156.13)\\n\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserId\":\"S-1-5-18\",\"UserKey\":\"S-1-5-18\",\"UserType\":2,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeItem", - "provider": "Exchange", - "kind": "event", - "action": "ModifyFolderPermissions", - "id": "f5b56c26-18aa-4984-822e-08d7b386d7e2", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { "email": "AllCompany.4529848321.sqtielgo@testsiem.onmicrosoft.com", "id": "S-1-5-18" } }, { - "server": { - "address": "67.43.156.13", - "domain": "DB7PR01MB4428", - "ip": "67.43.156.13" + "@timestamp": "2020-02-17T08:53:22.000Z", + "client": { + "address": "::1", + "ip": "::1" }, "destination": { "ip": "67.43.156.13" }, - "source": { - "ip": "::1" + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "ModifyFolderPermissions", + "category": [ + "web" + ], + "code": "ExchangeItem", + "id": "25ccad93-82ad-4742-5231-08d7b386d7e6", + "kind": "event", + "original": "{\"ClientIP\":\"::1\",\"ClientIPAddress\":\"::1\",\"ClientInfoString\":\"Client=WebServices;Action=ConfigureGroupMailbox\",\"CreationTime\":\"2020-02-17T08:53:22\",\"ExternalAccess\":true,\"Id\":\"25ccad93-82ad-4742-5231-08d7b386d7e6\",\"InternalLogonType\":1,\"Item\":{\"Id\":\"LgAAAABkkJvTy6NaRYV8EL+vMtzZAQAk6unHVumCRJNhRrAMRwYLAAAAAAENAAAC\",\"ParentFolder\":{\"Id\":\"LgAAAABkkJvTy6NaRYV8EL+vMtzZAQAk6unHVumCRJNhRrAMRwYLAAAAAAENAAAC\",\"MemberRights\":\"ReadAny, Visible, FreeBusySimple, FreeBusyDetailed\",\"MemberSid\":\"S-1-8-1750167797-1192043064-2586004354-3182407426-1\",\"MemberUpn\":\"Member@local\",\"Name\":\"Calendar\",\"Path\":\"\\\\Calendar\"}},\"LogonType\":1,\"LogonUserSid\":\"S-1-5-18\",\"MailboxGuid\":\"685170f5-2238-470d-824b-239a02afafbd\",\"MailboxOwnerMasterAccountSid\":\"S-1-5-10\",\"MailboxOwnerSid\":\"S-1-5-21-3422892061-1135328251-2670905592-26679882\",\"MailboxOwnerUPN\":\"AllCompany.4529848321.sqtielgo@testsiem.onmicrosoft.com\",\"Operation\":\"ModifyFolderPermissions\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"DB7PR01MB4428 (67.43.156.13)\\n\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserId\":\"S-1-5-18\",\"UserKey\":\"S-1-5-18\",\"UserType\":2,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, - "tags": [ - "preserve_original_event" - ], "network": { "type": "ipv6" }, "o365": { "audit": { - "MailboxOwnerSid": "S-1-5-21-3422892061-1135328251-2670905592-26679882", - "ResultStatus": "Succeeded", - "UserKey": "S-1-5-18", - "ExternalAccess": true, - "LogonType": "1", - "MailboxGuid": "685170f5-2238-470d-824b-239a02afafbd", "ClientIP": "::1", + "ClientInfoString": "Client=WebServices;Action=ConfigureGroupMailbox", + "CreationTime": "2020-02-17T08:53:22", + "ExternalAccess": true, + "InternalLogonType": "1", "Item": { + "Id": "LgAAAABkkJvTy6NaRYV8EL+vMtzZAQAk6unHVumCRJNhRrAMRwYLAAAAAAENAAAC", "ParentFolder": { - "Path": "\\Calendar", - "MemberRights": "ReadAny, Visible, FreeBusySimple, FreeBusyDetailed", "Id": "LgAAAABkkJvTy6NaRYV8EL+vMtzZAQAk6unHVumCRJNhRrAMRwYLAAAAAAENAAAC", - "MemberUpn": "Member@local", + "MemberRights": "ReadAny, Visible, FreeBusySimple, FreeBusyDetailed", "MemberSid": "S-1-8-1750167797-1192043064-2586004354-3182407426-1", - "Name": "Calendar" - }, - "Id": "LgAAAABkkJvTy6NaRYV8EL+vMtzZAQAk6unHVumCRJNhRrAMRwYLAAAAAAENAAAC" + "MemberUpn": "Member@local", + "Name": "Calendar", + "Path": "\\Calendar" + } }, - "InternalLogonType": "1", + "LogonType": "1", "LogonUserSid": "S-1-5-18", + "MailboxGuid": "685170f5-2238-470d-824b-239a02afafbd", + "MailboxOwnerMasterAccountSid": "S-1-5-10", + "MailboxOwnerSid": "S-1-5-21-3422892061-1135328251-2670905592-26679882", "RecordType": "2", - "Version": "1", - "ClientInfoString": "Client=WebServices;Action=ConfigureGroupMailbox", + "ResultStatus": "Succeeded", "UserId": "S-1-5-18", - "CreationTime": "2020-02-17T08:53:22", + "UserKey": "S-1-5-18", "UserType": "2", - "MailboxOwnerMasterAccountSid": "S-1-5-10" + "Version": "1" } }, - "@timestamp": "2020-02-17T08:53:22.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ @@ -519,91 +530,90 @@ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "server": { + "address": "67.43.156.13", + "domain": "DB7PR01MB4428", + "ip": "67.43.156.13" }, - "client": { - "address": "::1", + "source": { "ip": "::1" }, - "event": { - "ingested": "2022-01-02T03:50:19.559673674Z", - "original": "{\"ClientIP\":\"::1\",\"ClientIPAddress\":\"::1\",\"ClientInfoString\":\"Client=WebServices;Action=ConfigureGroupMailbox\",\"CreationTime\":\"2020-02-17T08:53:22\",\"ExternalAccess\":true,\"Id\":\"25ccad93-82ad-4742-5231-08d7b386d7e6\",\"InternalLogonType\":1,\"Item\":{\"Id\":\"LgAAAABkkJvTy6NaRYV8EL+vMtzZAQAk6unHVumCRJNhRrAMRwYLAAAAAAENAAAC\",\"ParentFolder\":{\"Id\":\"LgAAAABkkJvTy6NaRYV8EL+vMtzZAQAk6unHVumCRJNhRrAMRwYLAAAAAAENAAAC\",\"MemberRights\":\"ReadAny, Visible, FreeBusySimple, FreeBusyDetailed\",\"MemberSid\":\"S-1-8-1750167797-1192043064-2586004354-3182407426-1\",\"MemberUpn\":\"Member@local\",\"Name\":\"Calendar\",\"Path\":\"\\\\Calendar\"}},\"LogonType\":1,\"LogonUserSid\":\"S-1-5-18\",\"MailboxGuid\":\"685170f5-2238-470d-824b-239a02afafbd\",\"MailboxOwnerMasterAccountSid\":\"S-1-5-10\",\"MailboxOwnerSid\":\"S-1-5-21-3422892061-1135328251-2670905592-26679882\",\"MailboxOwnerUPN\":\"AllCompany.4529848321.sqtielgo@testsiem.onmicrosoft.com\",\"Operation\":\"ModifyFolderPermissions\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"DB7PR01MB4428 (67.43.156.13)\\n\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserId\":\"S-1-5-18\",\"UserKey\":\"S-1-5-18\",\"UserType\":2,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeItem", - "provider": "Exchange", - "kind": "event", - "action": "ModifyFolderPermissions", - "id": "25ccad93-82ad-4742-5231-08d7b386d7e6", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { "email": "AllCompany.4529848321.sqtielgo@testsiem.onmicrosoft.com", "id": "S-1-5-18" } }, { - "server": { - "address": "67.43.156.13", - "domain": "DB3PR0102MB3500", - "ip": "67.43.156.13" + "@timestamp": "2020-02-17T08:53:41.000Z", + "client": { + "address": "::1", + "ip": "::1" }, "destination": { "ip": "67.43.156.13" }, - "source": { - "ip": "::1" + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "ModifyFolderPermissions", + "category": [ + "web" + ], + "code": "ExchangeItem", + "id": "edb9bb1f-9629-43a1-0a57-08d7b386e31c", + "kind": "event", + "original": "{\"ClientIP\":\"::1\",\"ClientIPAddress\":\"::1\",\"ClientInfoString\":\"Client=WebServices;Action=ConfigureGroupMailbox\",\"CreationTime\":\"2020-02-17T08:53:41\",\"ExternalAccess\":true,\"Id\":\"edb9bb1f-9629-43a1-0a57-08d7b386e31c\",\"InternalLogonType\":1,\"Item\":{\"Id\":\"LgAAAABQ7FIOAzxlR4hKCRQRbTbvAQBTdQb34omtRrZGvP+4ONQkAAAAAAENAAAC\",\"ParentFolder\":{\"Id\":\"LgAAAABQ7FIOAzxlR4hKCRQRbTbvAQBTdQb34omtRrZGvP+4ONQkAAAAAAENAAAC\",\"MemberRights\":\"ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed\",\"MemberSid\":\"S-1-8-2005823449-1144108501-1529089953-3087822558-0\",\"MemberUpn\":\"Owner@local\",\"Name\":\"Calendar\",\"Path\":\"\\\\Calendar\"}},\"LogonType\":1,\"LogonUserSid\":\"S-1-5-18\",\"MailboxGuid\":\"778e6fd9-b5d5-4431-a10f-245bde6e0cb8\",\"MailboxOwnerMasterAccountSid\":\"S-1-5-10\",\"MailboxOwnerSid\":\"S-1-5-21-3422892061-1135328251-2670905592-26679883\",\"MailboxOwnerUPN\":\"AllCompany.4529848321.eqpfynvc@testsiem.onmicrosoft.com\",\"Operation\":\"ModifyFolderPermissions\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"DB3PR0102MB3500 (67.43.156.13)\\n\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserId\":\"S-1-5-18\",\"UserKey\":\"S-1-5-18\",\"UserType\":2,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, - "tags": [ - "preserve_original_event" - ], "network": { "type": "ipv6" }, "o365": { "audit": { - "MailboxOwnerSid": "S-1-5-21-3422892061-1135328251-2670905592-26679883", - "ResultStatus": "Succeeded", - "UserKey": "S-1-5-18", - "ExternalAccess": true, - "LogonType": "1", - "MailboxGuid": "778e6fd9-b5d5-4431-a10f-245bde6e0cb8", "ClientIP": "::1", + "ClientInfoString": "Client=WebServices;Action=ConfigureGroupMailbox", + "CreationTime": "2020-02-17T08:53:41", + "ExternalAccess": true, + "InternalLogonType": "1", "Item": { + "Id": "LgAAAABQ7FIOAzxlR4hKCRQRbTbvAQBTdQb34omtRrZGvP+4ONQkAAAAAAENAAAC", "ParentFolder": { - "Path": "\\Calendar", - "MemberRights": "ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed", "Id": "LgAAAABQ7FIOAzxlR4hKCRQRbTbvAQBTdQb34omtRrZGvP+4ONQkAAAAAAENAAAC", - "MemberUpn": "Owner@local", + "MemberRights": "ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed", "MemberSid": "S-1-8-2005823449-1144108501-1529089953-3087822558-0", - "Name": "Calendar" - }, - "Id": "LgAAAABQ7FIOAzxlR4hKCRQRbTbvAQBTdQb34omtRrZGvP+4ONQkAAAAAAENAAAC" + "MemberUpn": "Owner@local", + "Name": "Calendar", + "Path": "\\Calendar" + } }, - "InternalLogonType": "1", + "LogonType": "1", "LogonUserSid": "S-1-5-18", + "MailboxGuid": "778e6fd9-b5d5-4431-a10f-245bde6e0cb8", + "MailboxOwnerMasterAccountSid": "S-1-5-10", + "MailboxOwnerSid": "S-1-5-21-3422892061-1135328251-2670905592-26679883", "RecordType": "2", - "Version": "1", - "ClientInfoString": "Client=WebServices;Action=ConfigureGroupMailbox", + "ResultStatus": "Succeeded", "UserId": "S-1-5-18", - "CreationTime": "2020-02-17T08:53:41", + "UserKey": "S-1-5-18", "UserType": "2", - "MailboxOwnerMasterAccountSid": "S-1-5-10" + "Version": "1" } }, - "@timestamp": "2020-02-17T08:53:41.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ @@ -611,91 +621,90 @@ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "server": { + "address": "67.43.156.13", + "domain": "DB3PR0102MB3500", + "ip": "67.43.156.13" }, - "client": { - "address": "::1", + "source": { "ip": "::1" }, - "event": { - "ingested": "2022-01-02T03:50:19.559674514Z", - "original": "{\"ClientIP\":\"::1\",\"ClientIPAddress\":\"::1\",\"ClientInfoString\":\"Client=WebServices;Action=ConfigureGroupMailbox\",\"CreationTime\":\"2020-02-17T08:53:41\",\"ExternalAccess\":true,\"Id\":\"edb9bb1f-9629-43a1-0a57-08d7b386e31c\",\"InternalLogonType\":1,\"Item\":{\"Id\":\"LgAAAABQ7FIOAzxlR4hKCRQRbTbvAQBTdQb34omtRrZGvP+4ONQkAAAAAAENAAAC\",\"ParentFolder\":{\"Id\":\"LgAAAABQ7FIOAzxlR4hKCRQRbTbvAQBTdQb34omtRrZGvP+4ONQkAAAAAAENAAAC\",\"MemberRights\":\"ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed\",\"MemberSid\":\"S-1-8-2005823449-1144108501-1529089953-3087822558-0\",\"MemberUpn\":\"Owner@local\",\"Name\":\"Calendar\",\"Path\":\"\\\\Calendar\"}},\"LogonType\":1,\"LogonUserSid\":\"S-1-5-18\",\"MailboxGuid\":\"778e6fd9-b5d5-4431-a10f-245bde6e0cb8\",\"MailboxOwnerMasterAccountSid\":\"S-1-5-10\",\"MailboxOwnerSid\":\"S-1-5-21-3422892061-1135328251-2670905592-26679883\",\"MailboxOwnerUPN\":\"AllCompany.4529848321.eqpfynvc@testsiem.onmicrosoft.com\",\"Operation\":\"ModifyFolderPermissions\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"DB3PR0102MB3500 (67.43.156.13)\\n\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserId\":\"S-1-5-18\",\"UserKey\":\"S-1-5-18\",\"UserType\":2,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeItem", - "provider": "Exchange", - "kind": "event", - "action": "ModifyFolderPermissions", - "id": "edb9bb1f-9629-43a1-0a57-08d7b386e31c", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { "email": "AllCompany.4529848321.eqpfynvc@testsiem.onmicrosoft.com", "id": "S-1-5-18" } }, { - "server": { - "address": "67.43.156.13", - "domain": "AM6PR01MB4535", - "ip": "67.43.156.13" + "@timestamp": "2020-02-17T17:12:03.000Z", + "client": { + "address": "::1", + "ip": "::1" }, "destination": { "ip": "67.43.156.13" }, - "source": { - "ip": "::1" + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "ModifyFolderPermissions", + "category": [ + "web" + ], + "code": "ExchangeItem", + "id": "df63d186-b4d9-49a8-748c-08d7b3cc81fb", + "kind": "event", + "original": "{\"ClientIP\":\"::1\",\"ClientIPAddress\":\"::1\",\"ClientInfoString\":\"Client=WebServices;Action=ConfigureGroupMailbox\",\"CreationTime\":\"2020-02-17T17:12:03\",\"ExternalAccess\":true,\"Id\":\"df63d186-b4d9-49a8-748c-08d7b3cc81fb\",\"InternalLogonType\":1,\"Item\":{\"Id\":\"LgAAAACklF6sEsJgSK/ulVd531/WAQCzgXIUnq3lQqXFeCmxHwmHAAAAAAENAAAC\",\"ParentFolder\":{\"Id\":\"LgAAAACklF6sEsJgSK/ulVd531/WAQCzgXIUnq3lQqXFeCmxHwmHAAAAAAENAAAC\",\"MemberRights\":\"ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed\",\"MemberSid\":\"S-1-8-640184314-1174341437-2555636127-1766693009-1\",\"MemberUpn\":\"Member@local\",\"Name\":\"Calendar\",\"Path\":\"\\\\Calendar\"}},\"LogonType\":1,\"LogonUserSid\":\"S-1-5-18\",\"MailboxGuid\":\"26286ffa-073d-45ff-9fe9-539891984d69\",\"MailboxOwnerMasterAccountSid\":\"S-1-5-10\",\"MailboxOwnerSid\":\"S-1-5-21-3422892061-1135328251-2670905592-26680073\",\"MailboxOwnerUPN\":\"SIEMTest@testsiem.onmicrosoft.com\",\"Operation\":\"ModifyFolderPermissions\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"AM6PR01MB4535 (67.43.156.13)\\n\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserId\":\"S-1-5-18\",\"UserKey\":\"S-1-5-18\",\"UserType\":2,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, - "tags": [ - "preserve_original_event" - ], "network": { "type": "ipv6" }, "o365": { "audit": { - "MailboxOwnerSid": "S-1-5-21-3422892061-1135328251-2670905592-26680073", - "ResultStatus": "Succeeded", - "UserKey": "S-1-5-18", - "ExternalAccess": true, - "LogonType": "1", - "MailboxGuid": "26286ffa-073d-45ff-9fe9-539891984d69", "ClientIP": "::1", + "ClientInfoString": "Client=WebServices;Action=ConfigureGroupMailbox", + "CreationTime": "2020-02-17T17:12:03", + "ExternalAccess": true, + "InternalLogonType": "1", "Item": { + "Id": "LgAAAACklF6sEsJgSK/ulVd531/WAQCzgXIUnq3lQqXFeCmxHwmHAAAAAAENAAAC", "ParentFolder": { - "Path": "\\Calendar", - "MemberRights": "ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed", "Id": "LgAAAACklF6sEsJgSK/ulVd531/WAQCzgXIUnq3lQqXFeCmxHwmHAAAAAAENAAAC", - "MemberUpn": "Member@local", + "MemberRights": "ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed", "MemberSid": "S-1-8-640184314-1174341437-2555636127-1766693009-1", - "Name": "Calendar" - }, - "Id": "LgAAAACklF6sEsJgSK/ulVd531/WAQCzgXIUnq3lQqXFeCmxHwmHAAAAAAENAAAC" + "MemberUpn": "Member@local", + "Name": "Calendar", + "Path": "\\Calendar" + } }, - "InternalLogonType": "1", + "LogonType": "1", "LogonUserSid": "S-1-5-18", + "MailboxGuid": "26286ffa-073d-45ff-9fe9-539891984d69", + "MailboxOwnerMasterAccountSid": "S-1-5-10", + "MailboxOwnerSid": "S-1-5-21-3422892061-1135328251-2670905592-26680073", "RecordType": "2", - "Version": "1", - "ClientInfoString": "Client=WebServices;Action=ConfigureGroupMailbox", + "ResultStatus": "Succeeded", "UserId": "S-1-5-18", - "CreationTime": "2020-02-17T17:12:03", + "UserKey": "S-1-5-18", "UserType": "2", - "MailboxOwnerMasterAccountSid": "S-1-5-10" + "Version": "1" } }, - "@timestamp": "2020-02-17T17:12:03.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ @@ -703,91 +712,90 @@ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "server": { + "address": "67.43.156.13", + "domain": "AM6PR01MB4535", + "ip": "67.43.156.13" }, - "client": { - "address": "::1", + "source": { "ip": "::1" }, - "event": { - "ingested": "2022-01-02T03:50:19.559675374Z", - "original": "{\"ClientIP\":\"::1\",\"ClientIPAddress\":\"::1\",\"ClientInfoString\":\"Client=WebServices;Action=ConfigureGroupMailbox\",\"CreationTime\":\"2020-02-17T17:12:03\",\"ExternalAccess\":true,\"Id\":\"df63d186-b4d9-49a8-748c-08d7b3cc81fb\",\"InternalLogonType\":1,\"Item\":{\"Id\":\"LgAAAACklF6sEsJgSK/ulVd531/WAQCzgXIUnq3lQqXFeCmxHwmHAAAAAAENAAAC\",\"ParentFolder\":{\"Id\":\"LgAAAACklF6sEsJgSK/ulVd531/WAQCzgXIUnq3lQqXFeCmxHwmHAAAAAAENAAAC\",\"MemberRights\":\"ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed\",\"MemberSid\":\"S-1-8-640184314-1174341437-2555636127-1766693009-1\",\"MemberUpn\":\"Member@local\",\"Name\":\"Calendar\",\"Path\":\"\\\\Calendar\"}},\"LogonType\":1,\"LogonUserSid\":\"S-1-5-18\",\"MailboxGuid\":\"26286ffa-073d-45ff-9fe9-539891984d69\",\"MailboxOwnerMasterAccountSid\":\"S-1-5-10\",\"MailboxOwnerSid\":\"S-1-5-21-3422892061-1135328251-2670905592-26680073\",\"MailboxOwnerUPN\":\"SIEMTest@testsiem.onmicrosoft.com\",\"Operation\":\"ModifyFolderPermissions\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"AM6PR01MB4535 (67.43.156.13)\\n\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserId\":\"S-1-5-18\",\"UserKey\":\"S-1-5-18\",\"UserType\":2,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeItem", - "provider": "Exchange", - "kind": "event", - "action": "ModifyFolderPermissions", - "id": "df63d186-b4d9-49a8-748c-08d7b3cc81fb", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { "email": "SIEMTest@testsiem.onmicrosoft.com", "id": "S-1-5-18" } }, { - "server": { - "address": "67.43.156.13", - "domain": "AM6PR01MB4535", - "ip": "67.43.156.13" + "@timestamp": "2020-02-17T17:12:03.000Z", + "client": { + "address": "::1", + "ip": "::1" }, "destination": { "ip": "67.43.156.13" }, - "source": { - "ip": "::1" + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "ModifyFolderPermissions", + "category": [ + "web" + ], + "code": "ExchangeItem", + "id": "284dfe85-ab53-48ad-0863-08d7b3cc81f7", + "kind": "event", + "original": "{\"ClientIP\":\"::1\",\"ClientIPAddress\":\"::1\",\"ClientInfoString\":\"Client=WebServices;Action=ConfigureGroupMailbox\",\"CreationTime\":\"2020-02-17T17:12:03\",\"ExternalAccess\":true,\"Id\":\"284dfe85-ab53-48ad-0863-08d7b3cc81f7\",\"InternalLogonType\":1,\"Item\":{\"Id\":\"LgAAAACklF6sEsJgSK/ulVd531/WAQCzgXIUnq3lQqXFeCmxHwmHAAAAAAENAAAC\",\"ParentFolder\":{\"Id\":\"LgAAAACklF6sEsJgSK/ulVd531/WAQCzgXIUnq3lQqXFeCmxHwmHAAAAAAENAAAC\",\"MemberRights\":\"ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed\",\"MemberSid\":\"S-1-8-640184314-1174341437-2555636127-1766693009-0\",\"MemberUpn\":\"Owner@local\",\"Name\":\"Calendar\",\"Path\":\"\\\\Calendar\"}},\"LogonType\":1,\"LogonUserSid\":\"S-1-5-18\",\"MailboxGuid\":\"26286ffa-073d-45ff-9fe9-539891984d69\",\"MailboxOwnerMasterAccountSid\":\"S-1-5-10\",\"MailboxOwnerSid\":\"S-1-5-21-3422892061-1135328251-2670905592-26680073\",\"MailboxOwnerUPN\":\"SIEMTest@testsiem.onmicrosoft.com\",\"Operation\":\"ModifyFolderPermissions\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"AM6PR01MB4535 (67.43.156.13)\\n\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserId\":\"S-1-5-18\",\"UserKey\":\"S-1-5-18\",\"UserType\":2,\"Version\":1,\"Workload\":\"Exchange\"}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, - "tags": [ - "preserve_original_event" - ], "network": { "type": "ipv6" }, "o365": { "audit": { - "MailboxOwnerSid": "S-1-5-21-3422892061-1135328251-2670905592-26680073", - "ResultStatus": "Succeeded", - "UserKey": "S-1-5-18", - "ExternalAccess": true, - "LogonType": "1", - "MailboxGuid": "26286ffa-073d-45ff-9fe9-539891984d69", "ClientIP": "::1", + "ClientInfoString": "Client=WebServices;Action=ConfigureGroupMailbox", + "CreationTime": "2020-02-17T17:12:03", + "ExternalAccess": true, + "InternalLogonType": "1", "Item": { + "Id": "LgAAAACklF6sEsJgSK/ulVd531/WAQCzgXIUnq3lQqXFeCmxHwmHAAAAAAENAAAC", "ParentFolder": { - "Path": "\\Calendar", - "MemberRights": "ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed", "Id": "LgAAAACklF6sEsJgSK/ulVd531/WAQCzgXIUnq3lQqXFeCmxHwmHAAAAAAENAAAC", - "MemberUpn": "Owner@local", + "MemberRights": "ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed", "MemberSid": "S-1-8-640184314-1174341437-2555636127-1766693009-0", - "Name": "Calendar" - }, - "Id": "LgAAAACklF6sEsJgSK/ulVd531/WAQCzgXIUnq3lQqXFeCmxHwmHAAAAAAENAAAC" + "MemberUpn": "Owner@local", + "Name": "Calendar", + "Path": "\\Calendar" + } }, - "InternalLogonType": "1", + "LogonType": "1", "LogonUserSid": "S-1-5-18", + "MailboxGuid": "26286ffa-073d-45ff-9fe9-539891984d69", + "MailboxOwnerMasterAccountSid": "S-1-5-10", + "MailboxOwnerSid": "S-1-5-21-3422892061-1135328251-2670905592-26680073", "RecordType": "2", - "Version": "1", - "ClientInfoString": "Client=WebServices;Action=ConfigureGroupMailbox", + "ResultStatus": "Succeeded", "UserId": "S-1-5-18", - "CreationTime": "2020-02-17T17:12:03", + "UserKey": "S-1-5-18", "UserType": "2", - "MailboxOwnerMasterAccountSid": "S-1-5-10" + "Version": "1" } }, - "@timestamp": "2020-02-17T17:12:03.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ @@ -795,34 +803,17 @@ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "server": { + "address": "67.43.156.13", + "domain": "AM6PR01MB4535", + "ip": "67.43.156.13" }, - "client": { - "address": "::1", + "source": { "ip": "::1" }, - "event": { - "ingested": "2022-01-02T03:50:19.559676214Z", - "original": "{\"ClientIP\":\"::1\",\"ClientIPAddress\":\"::1\",\"ClientInfoString\":\"Client=WebServices;Action=ConfigureGroupMailbox\",\"CreationTime\":\"2020-02-17T17:12:03\",\"ExternalAccess\":true,\"Id\":\"284dfe85-ab53-48ad-0863-08d7b3cc81f7\",\"InternalLogonType\":1,\"Item\":{\"Id\":\"LgAAAACklF6sEsJgSK/ulVd531/WAQCzgXIUnq3lQqXFeCmxHwmHAAAAAAENAAAC\",\"ParentFolder\":{\"Id\":\"LgAAAACklF6sEsJgSK/ulVd531/WAQCzgXIUnq3lQqXFeCmxHwmHAAAAAAENAAAC\",\"MemberRights\":\"ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed\",\"MemberSid\":\"S-1-8-640184314-1174341437-2555636127-1766693009-0\",\"MemberUpn\":\"Owner@local\",\"Name\":\"Calendar\",\"Path\":\"\\\\Calendar\"}},\"LogonType\":1,\"LogonUserSid\":\"S-1-5-18\",\"MailboxGuid\":\"26286ffa-073d-45ff-9fe9-539891984d69\",\"MailboxOwnerMasterAccountSid\":\"S-1-5-10\",\"MailboxOwnerSid\":\"S-1-5-21-3422892061-1135328251-2670905592-26680073\",\"MailboxOwnerUPN\":\"SIEMTest@testsiem.onmicrosoft.com\",\"Operation\":\"ModifyFolderPermissions\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"OrganizationName\":\"testsiem.onmicrosoft.com\",\"OriginatingServer\":\"AM6PR01MB4535 (67.43.156.13)\\n\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserId\":\"S-1-5-18\",\"UserKey\":\"S-1-5-18\",\"UserType\":2,\"Version\":1,\"Workload\":\"Exchange\"}", - "code": "ExchangeItem", - "provider": "Exchange", - "kind": "event", - "action": "ModifyFolderPermissions", - "id": "284dfe85-ab53-48ad-0863-08d7b3cc81f7", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { "email": "SIEMTest@testsiem.onmicrosoft.com", "id": "S-1-5-18" diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-ip-formats-events.json-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-ip-formats-events.json-expected.json index 12a02ca5b10..04e7f578fdc 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-ip-formats-events.json-expected.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-ip-formats-events.json-expected.json @@ -1,575 +1,572 @@ { "expected": [ { - "o365": { - "audit": { - "RecordType": "-1", - "CreationTime": "2020-02-17T17:12:03" - } - }, "@timestamp": "2020-02-17T17:12:03.000Z", + "client": { + "address": "10.11.12.13", + "ip": "10.11.12.13", + "port": 12345 + }, "ecs": { "version": "8.0.0" }, + "event": { + "category": [ + "web" + ], + "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", + "kind": "event", + "original": "{\"ClientIP\":\"[10.11.12.13]:12345\",\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\",\"RecordType\":-1}", + "outcome": "success", + "type": [ + "info" + ] + }, + "network": { + "type": "ipv4" + }, + "o365": { + "audit": { + "CreationTime": "2020-02-17T17:12:03", + "RecordType": "-1" + } + }, "related": { "ip": [ "10.11.12.13" ] }, + "source": { + "ip": "10.11.12.13", + "port": 12345 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2020-02-17T17:12:03.000Z", "client": { - "port": 12345, "address": "10.11.12.13", - "ip": "10.11.12.13" + "ip": "10.11.12.13", + "port": 12345 }, - "source": { - "port": 12345, - "ip": "10.11.12.13" + "ecs": { + "version": "8.0.0" }, "event": { - "ingested": "2022-01-02T03:50:22.709186739Z", - "original": "{\"ClientIP\":\"[10.11.12.13]:12345\",\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\",\"RecordType\":-1}", - "kind": "event", - "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", - "type": [ - "info" - ], "category": [ "web" ], - "outcome": "success" + "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", + "kind": "event", + "original": "{\"ClientIP\":\"10.11.12.13:12345\",\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\",\"RecordType\":-1}", + "outcome": "success", + "type": [ + "info" + ] }, - "tags": [ - "preserve_original_event" - ], "network": { "type": "ipv4" - } - }, - { + }, "o365": { "audit": { - "RecordType": "-1", - "CreationTime": "2020-02-17T17:12:03" + "CreationTime": "2020-02-17T17:12:03", + "RecordType": "-1" } }, - "@timestamp": "2020-02-17T17:12:03.000Z", - "ecs": { - "version": "8.0.0" - }, "related": { "ip": [ "10.11.12.13" ] }, + "source": { + "ip": "10.11.12.13", + "port": 12345 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2020-02-17T17:12:03.000Z", "client": { - "port": 12345, "address": "10.11.12.13", "ip": "10.11.12.13" }, - "source": { - "port": 12345, - "ip": "10.11.12.13" + "ecs": { + "version": "8.0.0" }, "event": { - "ingested": "2022-01-02T03:50:22.709188893Z", - "original": "{\"ClientIP\":\"10.11.12.13:12345\",\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\",\"RecordType\":-1}", - "kind": "event", - "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", - "type": [ - "info" - ], "category": [ "web" ], - "outcome": "success" + "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", + "kind": "event", + "original": "{\"ClientIP\":\"10.11.12.13\",\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\",\"RecordType\":-1}", + "outcome": "success", + "type": [ + "info" + ] }, - "tags": [ - "preserve_original_event" - ], "network": { "type": "ipv4" - } - }, - { + }, "o365": { "audit": { - "RecordType": "-1", - "CreationTime": "2020-02-17T17:12:03" + "CreationTime": "2020-02-17T17:12:03", + "RecordType": "-1" } }, - "@timestamp": "2020-02-17T17:12:03.000Z", - "ecs": { - "version": "8.0.0" - }, "related": { "ip": [ "10.11.12.13" ] }, + "source": { + "ip": "10.11.12.13" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2020-02-17T17:12:03.000Z", "client": { "address": "10.11.12.13", "ip": "10.11.12.13" }, - "source": { - "ip": "10.11.12.13" + "ecs": { + "version": "8.0.0" }, "event": { - "ingested": "2022-01-02T03:50:22.709190138Z", - "original": "{\"ClientIP\":\"10.11.12.13\",\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\",\"RecordType\":-1}", - "kind": "event", - "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", - "type": [ - "info" - ], "category": [ "web" ], - "outcome": "success" + "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", + "kind": "event", + "original": "{\"ClientIP\":\"::ffff:10.11.12.13\",\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\",\"RecordType\":-1}", + "outcome": "success", + "type": [ + "info" + ] }, - "tags": [ - "preserve_original_event" - ], "network": { "type": "ipv4" - } - }, - { + }, "o365": { "audit": { - "RecordType": "-1", - "CreationTime": "2020-02-17T17:12:03" + "CreationTime": "2020-02-17T17:12:03", + "RecordType": "-1" } }, - "@timestamp": "2020-02-17T17:12:03.000Z", - "ecs": { - "version": "8.0.0" - }, "related": { "ip": [ "10.11.12.13" ] }, + "source": { + "ip": "10.11.12.13" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2020-02-17T17:12:03.000Z", "client": { "address": "10.11.12.13", - "ip": "10.11.12.13" + "ip": "10.11.12.13", + "port": 12345 }, - "source": { - "ip": "10.11.12.13" + "ecs": { + "version": "8.0.0" }, "event": { - "ingested": "2022-01-02T03:50:22.709191036Z", - "original": "{\"ClientIP\":\"::ffff:10.11.12.13\",\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\",\"RecordType\":-1}", - "kind": "event", - "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", - "type": [ - "info" - ], "category": [ "web" ], - "outcome": "success" + "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", + "kind": "event", + "original": "{\"ClientIP\":\"[::ffff:10.11.12.13]:12345\",\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\",\"RecordType\":-1}", + "outcome": "success", + "type": [ + "info" + ] }, - "tags": [ - "preserve_original_event" - ], "network": { "type": "ipv4" - } - }, - { + }, "o365": { "audit": { - "RecordType": "-1", - "CreationTime": "2020-02-17T17:12:03" + "CreationTime": "2020-02-17T17:12:03", + "RecordType": "-1" } }, - "@timestamp": "2020-02-17T17:12:03.000Z", - "ecs": { - "version": "8.0.0" - }, "related": { "ip": [ "10.11.12.13" ] }, + "source": { + "ip": "10.11.12.13", + "port": 12345 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2020-02-17T17:12:03.000Z", "client": { - "port": 12345, - "address": "10.11.12.13", - "ip": "10.11.12.13" + "address": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "port": 12345 }, - "source": { - "port": 12345, - "ip": "10.11.12.13" + "ecs": { + "version": "8.0.0" }, "event": { - "ingested": "2022-01-02T03:50:22.709191893Z", - "original": "{\"ClientIP\":\"[::ffff:10.11.12.13]:12345\",\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\",\"RecordType\":-1}", - "kind": "event", - "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", - "type": [ - "info" - ], "category": [ "web" ], - "outcome": "success" + "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", + "kind": "event", + "original": "{\"ClientIP\":\"[2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6]:12345\",\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\",\"RecordType\":-1}", + "outcome": "success", + "type": [ + "info" + ] }, - "tags": [ - "preserve_original_event" - ], "network": { - "type": "ipv4" - } - }, - { + "type": "ipv6" + }, "o365": { "audit": { - "RecordType": "-1", - "CreationTime": "2020-02-17T17:12:03" + "CreationTime": "2020-02-17T17:12:03", + "RecordType": "-1" } }, - "@timestamp": "2020-02-17T17:12:03.000Z", - "ecs": { - "version": "8.0.0" - }, "related": { "ip": [ "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" ] }, - "client": { - "port": 12345, - "address": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", - "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" - }, "source": { + "as": { + "number": 62121, + "organization": { + "name": "Christian Ebsen ApS" + } + }, "geo": { "continent_name": "Europe", - "country_name": "Norway", + "country_iso_code": "DK", + "country_name": "Denmark", "location": { - "lon": 10.0, - "lat": 62.0 - }, - "country_iso_code": "NO" + "lat": 56, + "lon": 10 + } }, - "port": 12345, + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "port": 12345 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2020-02-17T17:12:03.000Z", + "client": { + "address": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" }, + "ecs": { + "version": "8.0.0" + }, "event": { - "ingested": "2022-01-02T03:50:22.709192742Z", - "original": "{\"ClientIP\":\"[2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6]:12345\",\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\",\"RecordType\":-1}", - "kind": "event", - "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", - "type": [ - "info" - ], "category": [ "web" ], - "outcome": "success" + "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", + "kind": "event", + "original": "{\"ClientIP\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\",\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\",\"RecordType\":-1}", + "outcome": "success", + "type": [ + "info" + ] }, - "tags": [ - "preserve_original_event" - ], "network": { "type": "ipv6" - } - }, - { + }, "o365": { "audit": { - "RecordType": "-1", - "CreationTime": "2020-02-17T17:12:03" + "CreationTime": "2020-02-17T17:12:03", + "RecordType": "-1" } }, - "@timestamp": "2020-02-17T17:12:03.000Z", - "ecs": { - "version": "8.0.0" - }, "related": { "ip": [ "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" ] }, - "client": { - "address": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", - "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" - }, "source": { + "as": { + "number": 62121, + "organization": { + "name": "Christian Ebsen ApS" + } + }, "geo": { "continent_name": "Europe", - "country_name": "Norway", + "country_iso_code": "DK", + "country_name": "Denmark", "location": { - "lon": 10.0, - "lat": 62.0 - }, - "country_iso_code": "NO" + "lat": 56, + "lon": 10 + } }, "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" }, - "event": { - "ingested": "2022-01-02T03:50:22.709193605Z", - "original": "{\"ClientIP\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\",\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\",\"RecordType\":-1}", - "kind": "event", - "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, "tags": [ "preserve_original_event" - ], - "network": { - "type": "ipv6" - } + ] }, { - "o365": { - "audit": { - "RecordType": "-1", - "CreationTime": "2020-02-17T17:12:03" - } - }, "@timestamp": "2020-02-17T17:12:03.000Z", - "ecs": { - "version": "8.0.0" - }, "client": { "domain": "[2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6]" }, + "ecs": { + "version": "8.0.0" + }, "event": { - "ingested": "2022-01-02T03:50:22.709194457Z", - "original": "{\"ClientIP\":\"[2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6]\",\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\",\"RecordType\":-1}", - "kind": "event", - "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", - "type": [ - "info" - ], "category": [ "web" ], - "outcome": "success" + "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", + "kind": "event", + "original": "{\"ClientIP\":\"[2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6]\",\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\",\"RecordType\":-1}", + "outcome": "success", + "type": [ + "info" + ] + }, + "o365": { + "audit": { + "CreationTime": "2020-02-17T17:12:03", + "RecordType": "-1" + } }, "tags": [ "preserve_original_event" ] }, { - "o365": { - "audit": { - "RecordType": "-1", - "CreationTime": "2020-02-17T17:12:03" - } - }, "@timestamp": "2020-02-17T17:12:03.000Z", - "ecs": { - "version": "8.0.0" - }, "client": { "domain": "[10.11.12.13]" }, + "ecs": { + "version": "8.0.0" + }, "event": { - "ingested": "2022-01-02T03:50:22.709195293Z", - "original": "{\"ClientIP\":\"[10.11.12.13]\",\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\",\"RecordType\":-1}", - "kind": "event", - "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", - "type": [ - "info" - ], "category": [ "web" ], - "outcome": "success" + "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", + "kind": "event", + "original": "{\"ClientIP\":\"[10.11.12.13]\",\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\",\"RecordType\":-1}", + "outcome": "success", + "type": [ + "info" + ] + }, + "o365": { + "audit": { + "CreationTime": "2020-02-17T17:12:03", + "RecordType": "-1" + } }, "tags": [ "preserve_original_event" ] }, { - "o365": { - "audit": { - "RecordType": "-1", - "CreationTime": "2020-02-17T17:12:03" - } - }, "@timestamp": "2020-02-17T17:12:03.000Z", - "ecs": { - "version": "8.0.0" - }, "client": { "domain": "localhost" }, + "ecs": { + "version": "8.0.0" + }, "event": { - "ingested": "2022-01-02T03:50:22.709196136Z", - "original": "{\"ClientIP\":\"localhost\",\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\",\"RecordType\":-1}", - "kind": "event", - "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", - "type": [ - "info" - ], "category": [ "web" ], - "outcome": "success" + "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", + "kind": "event", + "original": "{\"ClientIP\":\"localhost\",\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\",\"RecordType\":-1}", + "outcome": "success", + "type": [ + "info" + ] + }, + "o365": { + "audit": { + "CreationTime": "2020-02-17T17:12:03", + "RecordType": "-1" + } }, "tags": [ "preserve_original_event" ] }, { - "o365": { - "audit": { - "RecordType": "-1", - "CreationTime": "2020-02-17T17:12:03" - } - }, "@timestamp": "2020-02-17T17:12:03.000Z", - "ecs": { - "version": "8.0.0" - }, "client": { "domain": "[localhost]:12345" }, + "ecs": { + "version": "8.0.0" + }, "event": { - "ingested": "2022-01-02T03:50:22.709197037Z", - "original": "{\"ClientIP\":\"[localhost]:12345\",\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\",\"RecordType\":-1}", - "kind": "event", - "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", - "type": [ - "info" - ], "category": [ "web" ], - "outcome": "success" + "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", + "kind": "event", + "original": "{\"ClientIP\":\"[localhost]:12345\",\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\",\"RecordType\":-1}", + "outcome": "success", + "type": [ + "info" + ] + }, + "o365": { + "audit": { + "CreationTime": "2020-02-17T17:12:03", + "RecordType": "-1" + } }, "tags": [ "preserve_original_event" ] }, { - "o365": { - "audit": { - "RecordType": "-1", - "CreationTime": "2020-02-17T17:12:03" - } - }, "@timestamp": "2020-02-17T17:12:03.000Z", - "ecs": { - "version": "8.0.0" - }, "client": { "domain": "localhost:12345" }, + "ecs": { + "version": "8.0.0" + }, "event": { - "ingested": "2022-01-02T03:50:22.709198041Z", - "original": "{\"ClientIP\":\"localhost:12345\",\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\",\"RecordType\":-1}", - "kind": "event", - "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", - "type": [ - "info" - ], "category": [ "web" ], - "outcome": "success" + "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", + "kind": "event", + "original": "{\"ClientIP\":\"localhost:12345\",\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\",\"RecordType\":-1}", + "outcome": "success", + "type": [ + "info" + ] + }, + "o365": { + "audit": { + "CreationTime": "2020-02-17T17:12:03", + "RecordType": "-1" + } }, "tags": [ "preserve_original_event" ] }, { - "o365": { - "audit": { - "RecordType": "-1", - "CreationTime": "2020-02-17T17:12:03" - } - }, "@timestamp": "2020-02-17T17:12:03.000Z", - "ecs": { - "version": "8.0.0" - }, "client": { "domain": "[cool.client.local]:12345" }, + "ecs": { + "version": "8.0.0" + }, "event": { - "ingested": "2022-01-02T03:50:22.709198889Z", - "original": "{\"ClientIP\":\"[cool.client.local]:12345\",\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\",\"RecordType\":-1}", - "kind": "event", - "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", - "type": [ - "info" - ], "category": [ "web" ], - "outcome": "success" + "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", + "kind": "event", + "original": "{\"ClientIP\":\"[cool.client.local]:12345\",\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\",\"RecordType\":-1}", + "outcome": "success", + "type": [ + "info" + ] + }, + "o365": { + "audit": { + "CreationTime": "2020-02-17T17:12:03", + "RecordType": "-1" + } }, "tags": [ "preserve_original_event" ] }, { - "o365": { - "audit": { - "RecordType": "-1", - "CreationTime": "2020-02-17T17:12:03" - } - }, "@timestamp": "2020-02-17T17:12:03.000Z", - "ecs": { - "version": "8.0.0" - }, "client": { "domain": "cool.client.local" }, + "ecs": { + "version": "8.0.0" + }, "event": { - "ingested": "2022-01-02T03:50:22.709199749Z", - "original": "{\"ClientIP\":\"cool.client.local\",\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\",\"RecordType\":-1}", - "kind": "event", - "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", - "type": [ - "info" - ], "category": [ "web" ], - "outcome": "success" + "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", + "kind": "event", + "original": "{\"ClientIP\":\"cool.client.local\",\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\",\"RecordType\":-1}", + "outcome": "success", + "type": [ + "info" + ] + }, + "o365": { + "audit": { + "CreationTime": "2020-02-17T17:12:03", + "RecordType": "-1" + } }, "tags": [ "preserve_original_event" ] }, { - "o365": { - "audit": { - "RecordType": "-1", - "CreationTime": "2020-02-17T17:12:03" - } - }, "@timestamp": "2020-02-17T17:12:03.000Z", - "ecs": { - "version": "8.0.0" - }, "client": { "domain": "cool.client.local:12345" }, + "ecs": { + "version": "8.0.0" + }, "event": { - "ingested": "2022-01-02T03:50:22.709200604Z", - "original": "{\"ClientIP\":\"cool.client.local:12345\",\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\",\"RecordType\":-1}", - "kind": "event", - "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", - "type": [ - "info" - ], "category": [ "web" ], - "outcome": "success" + "id": "3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226", + "kind": "event", + "original": "{\"ClientIP\":\"cool.client.local:12345\",\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\",\"RecordType\":-1}", + "outcome": "success", + "type": [ + "info" + ] + }, + "o365": { + "audit": { + "CreationTime": "2020-02-17T17:12:03", + "RecordType": "-1" + } }, "tags": [ "preserve_original_event" diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-ms-teams-events.json-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-ms-teams-events.json-expected.json index 9efa91336b0..4b8a8582aca 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-ms-teams-events.json-expected.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-ms-teams-events.json-expected.json @@ -1,96 +1,124 @@ { "expected": [ { + "@timestamp": "2020-02-17T16:59:44.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "added-group-account-to", + "category": [ + "web", + "iam" + ], + "code": "MicrosoftTeams", + "id": "49fa9883-50a9-4c9c-8e12-57e0948a9d8a", + "kind": "event", + "original": "{\"CreationTime\":\"2020-02-17T16:59:44\",\"Id\":\"49fa9883-50a9-4c9c-8e12-57e0948a9d8a\",\"Operation\":\"TeamCreated\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":25,\"TeamGuid\":\"19:5ad83cb367fc48358e759dccff238f46@thread.skype\",\"TeamName\":\"SIEMTest\",\"UserId\":\"Application\",\"UserKey\":\"\",\"UserType\":5,\"Version\":1,\"Workload\":\"MicrosoftTeams\"}", + "outcome": "success", + "provider": "MicrosoftTeams", + "type": [ + "info", + "group", + "creation" + ] + }, + "group": { + "name": "SIEMTest" + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "o365": { "audit": { + "CreationTime": "2020-02-17T16:59:44", "RecordType": "25", - "Version": "1", "TeamGuid": "19:5ad83cb367fc48358e759dccff238f46@thread.skype", "UserId": "Application", "UserKey": "", - "CreationTime": "2020-02-17T16:59:44", - "UserType": "5" + "UserType": "5", + "Version": "1" } }, - "@timestamp": "2020-02-17T16:59:44.000Z", - "ecs": { - "version": "8.0.0" - }, "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "tags": [ + "preserve_original_event" + ], + "user": { + "id": "Application" + } + }, + { + "@timestamp": "2020-02-17T16:59:47.000Z", + "ecs": { + "version": "8.0.0" }, "event": { - "ingested": "2022-01-02T03:50:24.654026141Z", - "original": "{\"CreationTime\":\"2020-02-17T16:59:44\",\"Id\":\"49fa9883-50a9-4c9c-8e12-57e0948a9d8a\",\"Operation\":\"TeamCreated\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":25,\"TeamGuid\":\"19:5ad83cb367fc48358e759dccff238f46@thread.skype\",\"TeamName\":\"SIEMTest\",\"UserId\":\"Application\",\"UserKey\":\"\",\"UserType\":5,\"Version\":1,\"Workload\":\"MicrosoftTeams\"}", + "action": "added-users-to-group", + "category": [ + "web", + "iam" + ], "code": "MicrosoftTeams", - "provider": "MicrosoftTeams", + "id": "3a951c24-3214-5529-b2fe-097628a39ecd", "kind": "event", - "action": "added-group-account-to", - "id": "49fa9883-50a9-4c9c-8e12-57e0948a9d8a", + "original": "{\"CreationTime\":\"2020-02-17T16:59:47\",\"Id\":\"3a951c24-3214-5529-b2fe-097628a39ecd\",\"ItemName\":\"SIEMTest\",\"Members\":[{\"DisplayName\":\"David\",\"Role\":1,\"UPN\":\"david@testsiem.onmicrosoft.com\"},{\"DisplayName\":\"Chuck\",\"Role\":1,\"UPN\":\"chuck@testsiem.onmicrosoft.com\"},{\"DisplayName\":\"Bob\",\"Role\":1,\"UPN\":\"bob@testsiem.onmicrosoft.com\"},{\"DisplayName\":\"Alice\",\"Role\":1,\"UPN\":\"alice@testsiem.onmicrosoft.com\"}],\"Operation\":\"MemberAdded\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":25,\"TeamGuid\":\"19:5ad83cb367fc48358e759dccff238f46@thread.skype\",\"TeamName\":\"SIEMTest\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"UserType\":0,\"Version\":1,\"Workload\":\"MicrosoftTeams\"}", + "outcome": "success", + "provider": "MicrosoftTeams", "type": [ "info", "group", - "creation" - ], - "category": [ - "web", - "iam" - ], - "outcome": "success" - }, - "user": { - "id": "Application" + "change" + ] }, - "tags": [ - "preserve_original_event" - ], "group": { "name": "SIEMTest" - } - }, - { + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "o365": { "audit": { - "RecordType": "25", - "Version": "1", - "TeamGuid": "19:5ad83cb367fc48358e759dccff238f46@thread.skype", - "UserId": "asr@testsiem.onmicrosoft.com", - "UserKey": "755e500a-6c03-46b0-b53b-282f23374e3b", "CreationTime": "2020-02-17T16:59:47", "ItemName": "SIEMTest", - "UserType": "0", "Members": [ { - "Role": 1, "DisplayName": "David", + "Role": 1, "UPN": "david@testsiem.onmicrosoft.com" }, { - "Role": 1, "DisplayName": "Chuck", + "Role": 1, "UPN": "chuck@testsiem.onmicrosoft.com" }, { - "Role": 1, "DisplayName": "Bob", + "Role": 1, "UPN": "bob@testsiem.onmicrosoft.com" }, { - "Role": 1, "DisplayName": "Alice", + "Role": 1, "UPN": "alice@testsiem.onmicrosoft.com" } - ] + ], + "RecordType": "25", + "TeamGuid": "19:5ad83cb367fc48358e759dccff238f46@thread.skype", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "755e500a-6c03-46b0-b53b-282f23374e3b", + "UserType": "0", + "Version": "1" } }, - "@timestamp": "2020-02-17T16:59:47.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "user": [ @@ -101,69 +129,68 @@ "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr" + } + }, + { + "@timestamp": "2020-02-17T16:59:44.000Z", + "ecs": { + "version": "8.0.0" }, "event": { - "ingested": "2022-01-02T03:50:24.654028568Z", - "original": "{\"CreationTime\":\"2020-02-17T16:59:47\",\"Id\":\"3a951c24-3214-5529-b2fe-097628a39ecd\",\"ItemName\":\"SIEMTest\",\"Members\":[{\"DisplayName\":\"David\",\"Role\":1,\"UPN\":\"david@testsiem.onmicrosoft.com\"},{\"DisplayName\":\"Chuck\",\"Role\":1,\"UPN\":\"chuck@testsiem.onmicrosoft.com\"},{\"DisplayName\":\"Bob\",\"Role\":1,\"UPN\":\"bob@testsiem.onmicrosoft.com\"},{\"DisplayName\":\"Alice\",\"Role\":1,\"UPN\":\"alice@testsiem.onmicrosoft.com\"}],\"Operation\":\"MemberAdded\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":25,\"TeamGuid\":\"19:5ad83cb367fc48358e759dccff238f46@thread.skype\",\"TeamName\":\"SIEMTest\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"UserType\":0,\"Version\":1,\"Workload\":\"MicrosoftTeams\"}", + "action": "added-users-to-group", + "category": [ + "web", + "iam" + ], "code": "MicrosoftTeams", - "provider": "MicrosoftTeams", + "id": "3350cfd2-1020-5b11-99d8-2701f3a29ea3", "kind": "event", - "action": "added-users-to-group", - "id": "3a951c24-3214-5529-b2fe-097628a39ecd", + "original": "{\"CreationTime\":\"2020-02-17T16:59:44\",\"Id\":\"3350cfd2-1020-5b11-99d8-2701f3a29ea3\",\"ItemName\":\"SIEMTest\",\"Members\":[{\"DisplayName\":\"Alan Smithee\",\"Role\":2,\"UPN\":\"asr@testsiem.onmicrosoft.com\"}],\"Operation\":\"MemberAdded\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":25,\"TeamGuid\":\"19:5ad83cb367fc48358e759dccff238f46@thread.skype\",\"TeamName\":\"SIEMTest\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"UserType\":0,\"Version\":1,\"Workload\":\"MicrosoftTeams\"}", + "outcome": "success", + "provider": "MicrosoftTeams", "type": [ "info", "group", "change" - ], - "category": [ - "web", - "iam" - ], - "outcome": "success" - }, - "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" + ] }, - "tags": [ - "preserve_original_event" - ], "group": { "name": "SIEMTest" - } - }, - { + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "o365": { "audit": { - "RecordType": "25", - "Version": "1", - "TeamGuid": "19:5ad83cb367fc48358e759dccff238f46@thread.skype", - "UserId": "asr@testsiem.onmicrosoft.com", - "UserKey": "755e500a-6c03-46b0-b53b-282f23374e3b", "CreationTime": "2020-02-17T16:59:44", "ItemName": "SIEMTest", - "UserType": "0", "Members": [ { - "Role": 2, "DisplayName": "Alan Smithee", + "Role": 2, "UPN": "asr@testsiem.onmicrosoft.com" } - ] + ], + "RecordType": "25", + "TeamGuid": "19:5ad83cb367fc48358e759dccff238f46@thread.skype", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "755e500a-6c03-46b0-b53b-282f23374e3b", + "UserType": "0", + "Version": "1" } }, - "@timestamp": "2020-02-17T16:59:44.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "user": [ @@ -171,100 +198,69 @@ "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "testsiem.onmicrosoft.com", + "email": "asr@testsiem.onmicrosoft.com", + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr" + } + }, + { + "@timestamp": "2020-02-17T16:59:34.000Z", + "ecs": { + "version": "8.0.0" }, "event": { - "ingested": "2022-01-02T03:50:24.654029576Z", - "original": "{\"CreationTime\":\"2020-02-17T16:59:44\",\"Id\":\"3350cfd2-1020-5b11-99d8-2701f3a29ea3\",\"ItemName\":\"SIEMTest\",\"Members\":[{\"DisplayName\":\"Alan Smithee\",\"Role\":2,\"UPN\":\"asr@testsiem.onmicrosoft.com\"}],\"Operation\":\"MemberAdded\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":25,\"TeamGuid\":\"19:5ad83cb367fc48358e759dccff238f46@thread.skype\",\"TeamName\":\"SIEMTest\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"UserType\":0,\"Version\":1,\"Workload\":\"MicrosoftTeams\"}", + "action": "TeamsSessionStarted", + "category": [ + "web" + ], "code": "MicrosoftTeams", - "provider": "MicrosoftTeams", + "id": "d7636db2-859f-437e-8dff-573726578ad7", "kind": "event", - "action": "added-users-to-group", - "id": "3350cfd2-1020-5b11-99d8-2701f3a29ea3", + "original": "{\"CreationTime\":\"2020-02-17T16:59:34\",\"Id\":\"d7636db2-859f-437e-8dff-573726578ad7\",\"ObjectId\":\"Unknown (Unknown)\",\"Operation\":\"TeamsSessionStarted\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":25,\"UserId\":\"bob@testsiem.onmicrosoft.com\",\"UserKey\":\"d0e0cfb0-284d-4b0a-83fe-dd543a1c1ed0\",\"UserType\":0,\"Version\":1,\"Workload\":\"MicrosoftTeams\"}", + "outcome": "success", + "provider": "MicrosoftTeams", "type": [ - "info", - "group", - "change" - ], - "category": [ - "web", - "iam" - ], - "outcome": "success" + "info" + ] }, - "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", - "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, - "tags": [ - "preserve_original_event" - ], - "group": { - "name": "SIEMTest" - } - }, - { "o365": { "audit": { - "RecordType": "25", + "CreationTime": "2020-02-17T16:59:34", "ObjectId": "Unknown (Unknown)", - "Version": "1", + "RecordType": "25", "UserId": "bob@testsiem.onmicrosoft.com", "UserKey": "d0e0cfb0-284d-4b0a-83fe-dd543a1c1ed0", - "CreationTime": "2020-02-17T16:59:34", - "UserType": "0" + "UserType": "0", + "Version": "1" } }, - "@timestamp": "2020-02-17T16:59:34.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "user": [ "bob" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "event": { - "ingested": "2022-01-02T03:50:24.654030446Z", - "original": "{\"CreationTime\":\"2020-02-17T16:59:34\",\"Id\":\"d7636db2-859f-437e-8dff-573726578ad7\",\"ObjectId\":\"Unknown (Unknown)\",\"Operation\":\"TeamsSessionStarted\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":25,\"UserId\":\"bob@testsiem.onmicrosoft.com\",\"UserKey\":\"d0e0cfb0-284d-4b0a-83fe-dd543a1c1ed0\",\"UserType\":0,\"Version\":1,\"Workload\":\"MicrosoftTeams\"}", - "code": "MicrosoftTeams", - "provider": "MicrosoftTeams", - "kind": "event", - "action": "TeamsSessionStarted", - "id": "d7636db2-859f-437e-8dff-573726578ad7", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, - "user": { - "name": "bob", - "id": "bob@testsiem.onmicrosoft.com", - "email": "bob@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" - }, "tags": [ "preserve_original_event" - ] + ], + "user": { + "domain": "testsiem.onmicrosoft.com", + "email": "bob@testsiem.onmicrosoft.com", + "id": "bob@testsiem.onmicrosoft.com", + "name": "bob" + } } ] } \ No newline at end of file diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-parameter-string.json-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-parameter-string.json-expected.json index ed495637585..d9a510de9bc 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-parameter-string.json-expected.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-parameter-string.json-expected.json @@ -1,180 +1,166 @@ { "expected": [ { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2021-02-05T09:06:07.000Z", + "client": { + "address": "67.43.156.13", "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "UserLoggedIn", + "category": [ + "web", + "authentication" + ], + "code": "AzureActiveDirectoryStsLogon", + "id": "550ed0e2-27da-4cbc-9fb8-46add4018800", + "kind": "event", + "original": "{\"CreationTime\":\"2021-02-05T09:06:07\",\"Id\":\"550ed0e2-27da-4cbc-9fb8-46add4018800\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"48622b8f-44d3-420c-b4a2-510c8165767e\",\"RecordType\":15,\"ResultStatus\":\"Success\",\"UserKey\":\"21119711-1517-43d4-8138-b537dafad016\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\",\"ClientIP\":\"67.43.156.13\",\"ObjectId\":\"Unknown\",\"UserId\":\"root@testsiem4.onmicrosoft.com\",\"AzureActiveDirectoryEventType\":1,\"ExtendedProperties\": \"-Name \"foo\" -Description \"\" -HoldNames () -PublicFolderLocation () -ExchangeLocationExclusion () -IncludeUserAppContent \"True\" -SharePointLocationExclusion () -Force \"True\" -Language \"\" -SharePointLocation () -ExchangeLocation (\"All\") -ContentMatchQuery \"(c:c)(senderauthor=abc@foo.com)\"\",\"ModifiedProperties\":[],\"Actor\":[{\"ID\":\"21119711-1517-43d4-8138-b537dafad016\",\"Type\":0},{\"ID\":\"root@testsiem4.onmicrosoft.com\",\"Type\":5}],\"ActorContextId\":\"48622b8f-44d3-420c-b4a2-510c8165767e\",\"ActorIpAddress\":\"67.43.156.13\",\"InterSystemsId\":\"df4c6d6c-4551-4f2d-8766-03700dfccb47\",\"IntraSystemId\":\"550ed0e2-27da-4cbc-9fb8-46add4018800\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"48622b8f-44d3-420c-b4a2-510c8165767e\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"ErrorNumber\":\"0\"}", + "outcome": "success", + "provider": "AzureActiveDirectory", + "type": [ + "info", + "start", + "authentication_success" + ] + }, + "host": { + "id": "48622b8f-44d3-420c-b4a2-510c8165767e", + "name": "testsiem4.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "AzureActiveDirectoryEventType": "1", - "ObjectId": "Unknown", - "ResultStatus": "Success", - "UserKey": "21119711-1517-43d4-8138-b537dafad016", + "Actor": [ + { + "ID": "21119711-1517-43d4-8138-b537dafad016", + "Type": 0 + }, + { + "ID": "root@testsiem4.onmicrosoft.com", + "Type": 5 + } + ], + "ActorContextId": "48622b8f-44d3-420c-b4a2-510c8165767e", "ActorIpAddress": "67.43.156.13", + "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "AzureActiveDirectoryEventType": "1", + "CreationTime": "2021-02-05T09:06:07", "ErrorNumber": "0", "ExtendedProperties": { "_raw": "-Name \"foo\" -Description \"\" -HoldNames () -PublicFolderLocation () -ExchangeLocationExclusion () -IncludeUserAppContent \"True\" -SharePointLocationExclusion () -Force \"True\" -Language \"\" -SharePointLocation () -ExchangeLocation (\"All\") -ContentMatchQuery \"(c:c)(senderauthor=abc@foo.com)\"" }, + "InterSystemsId": "df4c6d6c-4551-4f2d-8766-03700dfccb47", "IntraSystemId": "550ed0e2-27da-4cbc-9fb8-46add4018800", + "ModifiedProperties": {}, + "ObjectId": "Unknown", + "RecordType": "15", + "ResultStatus": "Success", + "SupportTicketId": "", "Target": [ { - "Type": 0, - "ID": "Unknown" + "ID": "Unknown", + "Type": 0 } ], - "RecordType": "15", - "ModifiedProperties": {}, - "Version": "1", - "SupportTicketId": "", "TargetContextId": "48622b8f-44d3-420c-b4a2-510c8165767e", "UserId": "root@testsiem4.onmicrosoft.com", - "Actor": [ - { - "Type": 0, - "ID": "21119711-1517-43d4-8138-b537dafad016" - }, - { - "Type": 5, - "ID": "root@testsiem4.onmicrosoft.com" - } - ], - "CreationTime": "2021-02-05T09:06:07", - "InterSystemsId": "df4c6d6c-4551-4f2d-8766-03700dfccb47", - "ApplicationId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "UserKey": "21119711-1517-43d4-8138-b537dafad016", "UserType": "0", - "ActorContextId": "48622b8f-44d3-420c-b4a2-510c8165767e" + "Version": "1" } }, - "@timestamp": "2021-02-05T09:06:07.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "48622b8f-44d3-420c-b4a2-510c8165767e" }, "related": { - "user": [ - "root" - ], "ip": [ "67.43.156.13" + ], + "user": [ + "root" ] }, - "organization": { - "id": "48622b8f-44d3-420c-b4a2-510c8165767e" - }, - "host": { - "name": "testsiem4.onmicrosoft.com", - "id": "48622b8f-44d3-420c-b4a2-510c8165767e" - }, - "client": { - "address": "67.43.156.13", + "source": { "ip": "67.43.156.13" }, - "event": { - "ingested": "2022-01-02T03:50:25.328597461Z", - "original": "{\"CreationTime\":\"2021-02-05T09:06:07\",\"Id\":\"550ed0e2-27da-4cbc-9fb8-46add4018800\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"48622b8f-44d3-420c-b4a2-510c8165767e\",\"RecordType\":15,\"ResultStatus\":\"Success\",\"UserKey\":\"21119711-1517-43d4-8138-b537dafad016\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\",\"ClientIP\":\"67.43.156.13\",\"ObjectId\":\"Unknown\",\"UserId\":\"root@testsiem4.onmicrosoft.com\",\"AzureActiveDirectoryEventType\":1,\"ExtendedProperties\": \"-Name \"foo\" -Description \"\" -HoldNames () -PublicFolderLocation () -ExchangeLocationExclusion () -IncludeUserAppContent \"True\" -SharePointLocationExclusion () -Force \"True\" -Language \"\" -SharePointLocation () -ExchangeLocation (\"All\") -ContentMatchQuery \"(c:c)(senderauthor=abc@foo.com)\"\",\"ModifiedProperties\":[],\"Actor\":[{\"ID\":\"21119711-1517-43d4-8138-b537dafad016\",\"Type\":0},{\"ID\":\"root@testsiem4.onmicrosoft.com\",\"Type\":5}],\"ActorContextId\":\"48622b8f-44d3-420c-b4a2-510c8165767e\",\"ActorIpAddress\":\"67.43.156.13\",\"InterSystemsId\":\"df4c6d6c-4551-4f2d-8766-03700dfccb47\",\"IntraSystemId\":\"550ed0e2-27da-4cbc-9fb8-46add4018800\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"Unknown\",\"Type\":0}],\"TargetContextId\":\"48622b8f-44d3-420c-b4a2-510c8165767e\",\"ApplicationId\":\"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\",\"ErrorNumber\":\"0\"}", - "code": "AzureActiveDirectoryStsLogon", - "provider": "AzureActiveDirectory", - "kind": "event", - "action": "UserLoggedIn", - "id": "550ed0e2-27da-4cbc-9fb8-46add4018800", - "type": [ - "info", - "start", - "authentication_success" - ], - "category": [ - "web", - "authentication" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "root", - "id": "root@testsiem4.onmicrosoft.com", + "domain": "testsiem4.onmicrosoft.com", "email": "root@testsiem4.onmicrosoft.com", - "domain": "testsiem4.onmicrosoft.com" + "id": "root@testsiem4.onmicrosoft.com", + "name": "root" } }, { - "server": { - "address": "67.43.156.13", - "domain": "HE1PR0102MB3228", - "ip": "67.43.156.13" - }, + "@timestamp": "2020-02-07T20:49:49.000Z", "destination": { "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Set-Mailbox", + "category": [ + "web" + ], + "code": "ExchangeAdmin", + "id": "1c7412a6-858d-49ff-3f93-08d7ac0f45bf", + "kind": "event", + "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (67.43.156.13)\", \"ClientAppId\": \"\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}\", \"Parameters\": \"-StartReceivedDate \"4/25/2021 7:00:00 AM\" -EndReceivedDate \"5/27/2021 7:00:00 AM\" -StartExpiresDate \"5/26/2021 7:00:00 AM\" -EndExpiresDate \"6/26/2021 7:00:00 AM\" -PageSize \"100\" -Page \"1\" -MyItems \"True\" -QuarantineTypes (\"Bulk\",\"Spam\",\"Phish\")\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-07T20:49:49\", \"AppId\": \"\", \"UserId\": \"NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"Id\": \"1c7412a6-858d-49ff-3f93-08d7ac0f45bf\", \"RecordType\": 1}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "o365": { "audit": { + "AppId": "", + "ClientAppId": "", + "CreationTime": "2020-02-07T20:49:49", + "ExternalAccess": true, + "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}", "Parameters": { "_raw": "-StartReceivedDate \"4/25/2021 7:00:00 AM\" -EndReceivedDate \"5/27/2021 7:00:00 AM\" -StartExpiresDate \"5/26/2021 7:00:00 AM\" -EndExpiresDate \"6/26/2021 7:00:00 AM\" -PageSize \"100\" -Page \"1\" -MyItems \"True\" -QuarantineTypes (\"Bulk\",\"Spam\",\"Phish\")" }, - "AppId": "", "RecordType": "1", - "ObjectId": "EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}", "ResultStatus": "True", - "Version": "1", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", - "ClientAppId": "", - "ExternalAccess": true, - "CreationTime": "2020-02-07T20:49:49", - "UserType": "3" + "UserType": "3", + "Version": "1" } }, - "@timestamp": "2020-02-07T20:49:49.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "ip": [ "67.43.156.13" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "event": { - "ingested": "2022-01-02T03:50:25.328599706Z", - "original": "{\"OriginatingServer\": \"HE1PR0102MB3228 (67.43.156.13)\", \"ClientAppId\": \"\", \"OrganizationName\": \"testsiem.onmicrosoft.com\", \"ObjectId\": \"EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}\", \"Parameters\": \"-StartReceivedDate \"4/25/2021 7:00:00 AM\" -EndReceivedDate \"5/27/2021 7:00:00 AM\" -StartExpiresDate \"5/26/2021 7:00:00 AM\" -EndExpiresDate \"6/26/2021 7:00:00 AM\" -PageSize \"100\" -Page \"1\" -MyItems \"True\" -QuarantineTypes (\"Bulk\",\"Spam\",\"Phish\")\", \"Workload\": \"Exchange\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-07T20:49:49\", \"AppId\": \"\", \"UserId\": \"NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"UserType\": 3, \"Version\": 1, \"ResultStatus\": \"True\", \"ExternalAccess\": true, \"UserKey\": \"NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)\", \"Operation\": \"Set-Mailbox\", \"Id\": \"1c7412a6-858d-49ff-3f93-08d7ac0f45bf\", \"RecordType\": 1}", - "code": "ExchangeAdmin", - "provider": "Exchange", - "kind": "event", - "action": "Set-Mailbox", - "id": "1c7412a6-858d-49ff-3f93-08d7ac0f45bf", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" + "server": { + "address": "67.43.156.13", + "domain": "HE1PR0102MB3228", + "ip": "67.43.156.13" }, + "tags": [ + "preserve_original_event" + ], "user": { "id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" } diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-sec-comp-alerts-events.json-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-sec-comp-alerts-events.json-expected.json index 43a90144e43..29034144010 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-sec-comp-alerts-events.json-expected.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-sec-comp-alerts-events.json-expected.json @@ -1,195 +1,192 @@ { "expected": [ { + "@timestamp": "2020-02-14T19:00:00.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "AlertEntityGenerated", + "category": [ + "web" + ], + "code": "SecurityComplianceAlerts", + "id": "448854d7-81f6-4a06-d31a-08d7b1c1fb2f", + "kind": "alert", + "original": "{\"AlertEntityId\":\"asr@testsiem.onmicrosoft.com\",\"AlertId\":\"5ba6e029-8b6e-13bd-b800-08d7b180173c\",\"AlertLinks\":[{\"AlertLinkHref\":\"http://example.net/alert\"},{\"AlertLinkHref\":\"http://example.net/info\"}],\"AlertType\":\"System\",\"Category\":\"AccessGovernance\",\"Comments\":\"New alert\",\"CreationTime\":\"2020-02-14T19:00:00\",\"Data\":\"{\\\"etype\\\":\\\"User\\\",\\\"eid\\\":\\\"asr@testsiem.onmicrosoft.com\\\",\\\"tid\\\":\\\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\\\",\\\"ts\\\":\\\"2020-02-14T18:54:45.0000000Z\\\",\\\"te\\\":\\\"2020-02-14T18:54:45.0000000Z\\\",\\\"op\\\":\\\"GrantAdminPermission\\\",\\\"tdc\\\":\\\"1\\\",\\\"suid\\\":\\\"asr@testsiem.onmicrosoft.com\\\",\\\"ut\\\":\\\"Admin\\\",\\\"lon\\\":\\\"GrantAdminPermission\\\"}\",\"EntityType\":\"User\",\"Id\":\"448854d7-81f6-4a06-d31a-08d7b1c1fb2f\",\"Name\":\"Elevation of Exchange admin privilege\",\"ObjectId\":\"asr@testsiem.onmicrosoft.com\",\"Operation\":\"AlertEntityGenerated\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"PolicyId\":\"17d51759-88e1-40c1-8df3-20bcf2e43057\",\"RecordType\":40,\"ResultStatus\":\"Succeeded\",\"Severity\":\"Low\",\"Source\":\"Office 365 Security \\u0026 Compliance\",\"Status\":\"Active\",\"UserId\":\"SecurityComplianceAlerts\",\"UserKey\":\"SecurityComplianceAlerts\",\"UserType\":4,\"Version\":1,\"Workload\":\"SecurityComplianceCenter\"}", + "outcome": "success", + "provider": "SecurityComplianceCenter", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, + "message": "New alert", "o365": { "audit": { - "Status": "Active", + "AlertId": "5ba6e029-8b6e-13bd-b800-08d7b180173c", + "AlertType": "System", + "CreationTime": "2020-02-14T19:00:00", + "Data": "{\"etype\":\"User\",\"eid\":\"asr@testsiem.onmicrosoft.com\",\"tid\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ts\":\"2020-02-14T18:54:45.0000000Z\",\"te\":\"2020-02-14T18:54:45.0000000Z\",\"op\":\"GrantAdminPermission\",\"tdc\":\"1\",\"suid\":\"asr@testsiem.onmicrosoft.com\",\"ut\":\"Admin\",\"lon\":\"GrantAdminPermission\"}", "ObjectId": "asr@testsiem.onmicrosoft.com", + "RecordType": "40", "ResultStatus": "Succeeded", - "UserKey": "SecurityComplianceAlerts", - "Data": "{\"etype\":\"User\",\"eid\":\"asr@testsiem.onmicrosoft.com\",\"tid\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"ts\":\"2020-02-14T18:54:45.0000000Z\",\"te\":\"2020-02-14T18:54:45.0000000Z\",\"op\":\"GrantAdminPermission\",\"tdc\":\"1\",\"suid\":\"asr@testsiem.onmicrosoft.com\",\"ut\":\"Admin\",\"lon\":\"GrantAdminPermission\"}", "Severity": "Low", "Source": "Office 365 Security \u0026 Compliance", - "AlertType": "System", - "AlertId": "5ba6e029-8b6e-13bd-b800-08d7b180173c", - "RecordType": "40", - "Version": "1", + "Status": "Active", "UserId": "SecurityComplianceAlerts", - "CreationTime": "2020-02-14T19:00:00", - "UserType": "4" + "UserKey": "SecurityComplianceAlerts", + "UserType": "4", + "Version": "1" } }, - "@timestamp": "2020-02-14T19:00:00.000Z", - "ecs": { - "version": "8.0.0" - }, "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "rule": { + "category": "AccessGovernance", + "description": "asr@testsiem.onmicrosoft.com", + "id": "17d51759-88e1-40c1-8df3-20bcf2e43057", + "name": "Elevation of Exchange admin privilege", "reference": [ "http://example.net/alert", "http://example.net/info" ], - "name": "Elevation of Exchange admin privilege", - "ruleset": "User", - "description": "asr@testsiem.onmicrosoft.com", - "id": "17d51759-88e1-40c1-8df3-20bcf2e43057", - "category": "AccessGovernance" + "ruleset": "User" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "id": "SecurityComplianceAlerts" + } + }, + { + "@timestamp": "2020-02-14T19:00:00.000Z", + "ecs": { + "version": "8.0.0" }, - "message": "New alert", "event": { - "ingested": "2022-01-02T03:50:26.270158982Z", - "original": "{\"AlertEntityId\":\"asr@testsiem.onmicrosoft.com\",\"AlertId\":\"5ba6e029-8b6e-13bd-b800-08d7b180173c\",\"AlertLinks\":[{\"AlertLinkHref\":\"http://example.net/alert\"},{\"AlertLinkHref\":\"http://example.net/info\"}],\"AlertType\":\"System\",\"Category\":\"AccessGovernance\",\"Comments\":\"New alert\",\"CreationTime\":\"2020-02-14T19:00:00\",\"Data\":\"{\\\"etype\\\":\\\"User\\\",\\\"eid\\\":\\\"asr@testsiem.onmicrosoft.com\\\",\\\"tid\\\":\\\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\\\",\\\"ts\\\":\\\"2020-02-14T18:54:45.0000000Z\\\",\\\"te\\\":\\\"2020-02-14T18:54:45.0000000Z\\\",\\\"op\\\":\\\"GrantAdminPermission\\\",\\\"tdc\\\":\\\"1\\\",\\\"suid\\\":\\\"asr@testsiem.onmicrosoft.com\\\",\\\"ut\\\":\\\"Admin\\\",\\\"lon\\\":\\\"GrantAdminPermission\\\"}\",\"EntityType\":\"User\",\"Id\":\"448854d7-81f6-4a06-d31a-08d7b1c1fb2f\",\"Name\":\"Elevation of Exchange admin privilege\",\"ObjectId\":\"asr@testsiem.onmicrosoft.com\",\"Operation\":\"AlertEntityGenerated\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"PolicyId\":\"17d51759-88e1-40c1-8df3-20bcf2e43057\",\"RecordType\":40,\"ResultStatus\":\"Succeeded\",\"Severity\":\"Low\",\"Source\":\"Office 365 Security \\u0026 Compliance\",\"Status\":\"Active\",\"UserId\":\"SecurityComplianceAlerts\",\"UserKey\":\"SecurityComplianceAlerts\",\"UserType\":4,\"Version\":1,\"Workload\":\"SecurityComplianceCenter\"}", + "action": "AlertTriggered", + "category": [ + "web" + ], "code": "SecurityComplianceAlerts", - "provider": "SecurityComplianceCenter", + "id": "7d6297b5-e4a7-46f0-3c1e-08d7b1c1fb22", "kind": "alert", - "action": "AlertEntityGenerated", - "id": "448854d7-81f6-4a06-d31a-08d7b1c1fb2f", + "original": "{\"AlertId\":\"5ba6e029-8b6e-13bd-b800-08d7b180173c\",\"AlertLinks\":[{\"AlertLinkHref\":\"http://example.net/single\"}],\"AlertType\":\"System\",\"Category\":\"AccessGovernance\",\"Comments\":\"New alert\",\"CreationTime\":\"2020-02-14T19:00:00\",\"Data\":\"{\\\"f3u\\\":\\\"asr@testsiem.onmicrosoft.com\\\",\\\"ts\\\":\\\"2020-02-14T18:45:00.0000000Z\\\",\\\"te\\\":\\\"2020-02-14T19:00:00.0000000Z\\\",\\\"op\\\":\\\"GrantAdminPermission\\\",\\\"wl\\\":\\\"Exchange\\\",\\\"tid\\\":\\\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\\\",\\\"tdc\\\":\\\"1\\\",\\\"reid\\\":\\\"23a5e271-e297-4f35-ff57-08d7b17f5bf2\\\",\\\"rid\\\":\\\"f81f1b69-dc60-4ded-918e-e17d5c73b29f\\\",\\\"cid\\\":\\\"17d51759-88e1-40c1-8df3-20bcf2e43057\\\",\\\"ad\\\":\\\"This alert is triggered when someone in your organization becomes an Exchange admin or gets new Exchange admin permissions -V1.0.0.1\\\",\\\"lon\\\":\\\"GrantAdminPermission\\\",\\\"an\\\":\\\"Elevation of Exchange admin privilege\\\",\\\"sev\\\":\\\"Low\\\"}\",\"Id\":\"7d6297b5-e4a7-46f0-3c1e-08d7b1c1fb22\",\"Name\":\"Elevation of Exchange admin privilege\",\"ObjectId\":\"5ba6e029-8b6e-13bd-b800-08d7b180173c\",\"Operation\":\"AlertTriggered\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"PolicyId\":\"17d51759-88e1-40c1-8df3-20bcf2e43057\",\"RecordType\":40,\"ResultStatus\":\"Succeeded\",\"Severity\":\"Low\",\"Source\":\"Office 365 Security \\u0026 Compliance\",\"Status\":\"Active\",\"UserId\":\"SecurityComplianceAlerts\",\"UserKey\":\"SecurityComplianceAlerts\",\"UserType\":4,\"Version\":1,\"Workload\":\"SecurityComplianceCenter\"}", + "outcome": "success", + "provider": "SecurityComplianceCenter", "type": [ "info" - ], - "category": [ - "web" - ], - "outcome": "success" + ] }, - "user": { - "id": "SecurityComplianceAlerts" + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, - "tags": [ - "preserve_original_event" - ] - }, - { + "message": "New alert", "o365": { "audit": { - "Status": "Active", + "AlertId": "5ba6e029-8b6e-13bd-b800-08d7b180173c", + "AlertType": "System", + "CreationTime": "2020-02-14T19:00:00", + "Data": "{\"f3u\":\"asr@testsiem.onmicrosoft.com\",\"ts\":\"2020-02-14T18:45:00.0000000Z\",\"te\":\"2020-02-14T19:00:00.0000000Z\",\"op\":\"GrantAdminPermission\",\"wl\":\"Exchange\",\"tid\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"tdc\":\"1\",\"reid\":\"23a5e271-e297-4f35-ff57-08d7b17f5bf2\",\"rid\":\"f81f1b69-dc60-4ded-918e-e17d5c73b29f\",\"cid\":\"17d51759-88e1-40c1-8df3-20bcf2e43057\",\"ad\":\"This alert is triggered when someone in your organization becomes an Exchange admin or gets new Exchange admin permissions -V1.0.0.1\",\"lon\":\"GrantAdminPermission\",\"an\":\"Elevation of Exchange admin privilege\",\"sev\":\"Low\"}", "ObjectId": "5ba6e029-8b6e-13bd-b800-08d7b180173c", + "RecordType": "40", "ResultStatus": "Succeeded", - "UserKey": "SecurityComplianceAlerts", - "Data": "{\"f3u\":\"asr@testsiem.onmicrosoft.com\",\"ts\":\"2020-02-14T18:45:00.0000000Z\",\"te\":\"2020-02-14T19:00:00.0000000Z\",\"op\":\"GrantAdminPermission\",\"wl\":\"Exchange\",\"tid\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"tdc\":\"1\",\"reid\":\"23a5e271-e297-4f35-ff57-08d7b17f5bf2\",\"rid\":\"f81f1b69-dc60-4ded-918e-e17d5c73b29f\",\"cid\":\"17d51759-88e1-40c1-8df3-20bcf2e43057\",\"ad\":\"This alert is triggered when someone in your organization becomes an Exchange admin or gets new Exchange admin permissions -V1.0.0.1\",\"lon\":\"GrantAdminPermission\",\"an\":\"Elevation of Exchange admin privilege\",\"sev\":\"Low\"}", "Severity": "Low", "Source": "Office 365 Security \u0026 Compliance", - "AlertType": "System", - "AlertId": "5ba6e029-8b6e-13bd-b800-08d7b180173c", - "RecordType": "40", - "Version": "1", + "Status": "Active", "UserId": "SecurityComplianceAlerts", - "CreationTime": "2020-02-14T19:00:00", - "UserType": "4" + "UserKey": "SecurityComplianceAlerts", + "UserType": "4", + "Version": "1" } }, - "@timestamp": "2020-02-14T19:00:00.000Z", - "ecs": { - "version": "8.0.0" - }, "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "rule": { + "category": "AccessGovernance", + "id": "17d51759-88e1-40c1-8df3-20bcf2e43057", + "name": "Elevation of Exchange admin privilege", "reference": [ "http://example.net/single" - ], - "name": "Elevation of Exchange admin privilege", - "id": "17d51759-88e1-40c1-8df3-20bcf2e43057", - "category": "AccessGovernance" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "id": "SecurityComplianceAlerts" + } + }, + { + "@timestamp": "2020-02-14T19:00:00.000Z", + "ecs": { + "version": "8.0.0" }, - "message": "New alert", "event": { - "ingested": "2022-01-02T03:50:26.270160944Z", - "original": "{\"AlertId\":\"5ba6e029-8b6e-13bd-b800-08d7b180173c\",\"AlertLinks\":[{\"AlertLinkHref\":\"http://example.net/single\"}],\"AlertType\":\"System\",\"Category\":\"AccessGovernance\",\"Comments\":\"New alert\",\"CreationTime\":\"2020-02-14T19:00:00\",\"Data\":\"{\\\"f3u\\\":\\\"asr@testsiem.onmicrosoft.com\\\",\\\"ts\\\":\\\"2020-02-14T18:45:00.0000000Z\\\",\\\"te\\\":\\\"2020-02-14T19:00:00.0000000Z\\\",\\\"op\\\":\\\"GrantAdminPermission\\\",\\\"wl\\\":\\\"Exchange\\\",\\\"tid\\\":\\\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\\\",\\\"tdc\\\":\\\"1\\\",\\\"reid\\\":\\\"23a5e271-e297-4f35-ff57-08d7b17f5bf2\\\",\\\"rid\\\":\\\"f81f1b69-dc60-4ded-918e-e17d5c73b29f\\\",\\\"cid\\\":\\\"17d51759-88e1-40c1-8df3-20bcf2e43057\\\",\\\"ad\\\":\\\"This alert is triggered when someone in your organization becomes an Exchange admin or gets new Exchange admin permissions -V1.0.0.1\\\",\\\"lon\\\":\\\"GrantAdminPermission\\\",\\\"an\\\":\\\"Elevation of Exchange admin privilege\\\",\\\"sev\\\":\\\"Low\\\"}\",\"Id\":\"7d6297b5-e4a7-46f0-3c1e-08d7b1c1fb22\",\"Name\":\"Elevation of Exchange admin privilege\",\"ObjectId\":\"5ba6e029-8b6e-13bd-b800-08d7b180173c\",\"Operation\":\"AlertTriggered\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"PolicyId\":\"17d51759-88e1-40c1-8df3-20bcf2e43057\",\"RecordType\":40,\"ResultStatus\":\"Succeeded\",\"Severity\":\"Low\",\"Source\":\"Office 365 Security \\u0026 Compliance\",\"Status\":\"Active\",\"UserId\":\"SecurityComplianceAlerts\",\"UserKey\":\"SecurityComplianceAlerts\",\"UserType\":4,\"Version\":1,\"Workload\":\"SecurityComplianceCenter\"}", - "code": "SecurityComplianceAlerts", - "provider": "SecurityComplianceCenter", - "kind": "alert", "action": "AlertTriggered", - "id": "7d6297b5-e4a7-46f0-3c1e-08d7b1c1fb22", - "type": [ - "info" - ], "category": [ "web" ], - "outcome": "success" + "code": "SecurityComplianceAlerts", + "id": "7d6297b5-e4a7-46f0-3c1e-08d7b1c1fb22", + "kind": "alert", + "original": "{\"AlertEntityId\":\"Malware/Evil.Malware.B\",\"AlertId\":\"1233344-8b6e-13bd-b800-08d7b180173c\",\"AlertLinks\":[],\"AlertType\":\"System\",\"Category\":\"ThreatManagement\",\"Comments\":\"This is a phony threat alert\",\"CreationTime\":\"2020-02-14T19:00:00\",\"Data\":\"{\\\"something\\\":\\\"blabla\\\"}\",\"EntityType\":\"MalwareFamily\",\"Id\":\"7d6297b5-e4a7-46f0-3c1e-08d7b1c1fb22\",\"Name\":\"Phony Malware Alert\",\"ObjectId\":\"12345678-8b6e-13bd-b800-08d7b180173c\",\"Operation\":\"AlertTriggered\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"PolicyId\":\"17d51759-88e1-40c1-8df3-20bcf2e43057\",\"RecordType\":40,\"ResultStatus\":\"Succeeded\",\"Severity\":\"High\",\"Source\":\"Office 365 Security \\u0026 Compliance\",\"Status\":\"Active\",\"UserId\":\"SecurityComplianceAlerts\",\"UserKey\":\"SecurityComplianceAlerts\",\"UserType\":4,\"Version\":1,\"Workload\":\"SecurityComplianceCenter\"}", + "outcome": "success", + "provider": "SecurityComplianceCenter", + "type": [ + "info" + ] }, - "user": { - "id": "SecurityComplianceAlerts" + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, - "tags": [ - "preserve_original_event" - ] - }, - { + "message": "This is a phony threat alert", "o365": { "audit": { - "Status": "Active", + "AlertId": "1233344-8b6e-13bd-b800-08d7b180173c", + "AlertType": "System", + "CreationTime": "2020-02-14T19:00:00", + "Data": "{\"something\":\"blabla\"}", "ObjectId": "12345678-8b6e-13bd-b800-08d7b180173c", + "RecordType": "40", "ResultStatus": "Succeeded", - "UserKey": "SecurityComplianceAlerts", - "Data": "{\"something\":\"blabla\"}", "Severity": "High", "Source": "Office 365 Security \u0026 Compliance", - "AlertType": "System", - "AlertId": "1233344-8b6e-13bd-b800-08d7b180173c", - "RecordType": "40", - "Version": "1", + "Status": "Active", "UserId": "SecurityComplianceAlerts", - "CreationTime": "2020-02-14T19:00:00", - "UserType": "4" + "UserKey": "SecurityComplianceAlerts", + "UserType": "4", + "Version": "1" } }, - "@timestamp": "2020-02-14T19:00:00.000Z", - "ecs": { - "version": "8.0.0" - }, "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "rule": { - "name": "Phony Malware Alert", - "ruleset": "MalwareFamily", + "category": "ThreatManagement", "description": "Malware/Evil.Malware.B", "id": "17d51759-88e1-40c1-8df3-20bcf2e43057", - "category": "ThreatManagement" - }, - "message": "This is a phony threat alert", - "event": { - "ingested": "2022-01-02T03:50:26.270161938Z", - "original": "{\"AlertEntityId\":\"Malware/Evil.Malware.B\",\"AlertId\":\"1233344-8b6e-13bd-b800-08d7b180173c\",\"AlertLinks\":[],\"AlertType\":\"System\",\"Category\":\"ThreatManagement\",\"Comments\":\"This is a phony threat alert\",\"CreationTime\":\"2020-02-14T19:00:00\",\"Data\":\"{\\\"something\\\":\\\"blabla\\\"}\",\"EntityType\":\"MalwareFamily\",\"Id\":\"7d6297b5-e4a7-46f0-3c1e-08d7b1c1fb22\",\"Name\":\"Phony Malware Alert\",\"ObjectId\":\"12345678-8b6e-13bd-b800-08d7b180173c\",\"Operation\":\"AlertTriggered\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"PolicyId\":\"17d51759-88e1-40c1-8df3-20bcf2e43057\",\"RecordType\":40,\"ResultStatus\":\"Succeeded\",\"Severity\":\"High\",\"Source\":\"Office 365 Security \\u0026 Compliance\",\"Status\":\"Active\",\"UserId\":\"SecurityComplianceAlerts\",\"UserKey\":\"SecurityComplianceAlerts\",\"UserType\":4,\"Version\":1,\"Workload\":\"SecurityComplianceCenter\"}", - "code": "SecurityComplianceAlerts", - "provider": "SecurityComplianceCenter", - "kind": "alert", - "action": "AlertTriggered", - "id": "7d6297b5-e4a7-46f0-3c1e-08d7b1c1fb22", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, - "user": { - "id": "SecurityComplianceAlerts" + "name": "Phony Malware Alert", + "ruleset": "MalwareFamily" }, "tags": [ "preserve_original_event" - ] + ], + "user": { + "id": "SecurityComplianceAlerts" + } } ] } \ No newline at end of file diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-sharepoint-events.json-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-sharepoint-events.json-expected.json index b0ad6eeeaf0..7d567156309 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-sharepoint-events.json-expected.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-sharepoint-events.json-expected.json @@ -1,401 +1,349 @@ { "expected": [ { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-07T16:43:53.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "PageViewed", + "category": [ + "web" + ], + "code": "SharePoint", + "id": "99d005e6-a4c6-46fd-117c-08d7abeceab5", + "kind": "event", + "original": "{\"ClientIP\":\"67.43.156.15\",\"CorrelationId\":\"622b339f-4000-a000-f25f-92b3478c7a25\",\"CreationTime\":\"2020-02-07T16:43:53\",\"CustomUniqueId\":true,\"EventSource\":\"SharePoint\",\"Id\":\"99d005e6-a4c6-46fd-117c-08d7abeceab5\",\"ItemType\":\"Page\",\"ListItemUniqueId\":\"59a8433d-9bb8-cfef-6edc-4c0fc8b86875\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx\",\"Operation\":\"PageViewed\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":4,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", + "outcome": "success", + "provider": "OneDrive", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", - "ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx", - "ItemType": "Page", - "UserKey": "i:0h.f|membership|1003200096971f55@live.com", - "EventSource": "SharePoint", - "RecordType": "4", - "Version": "1", - "UserId": "asr@testsiem.onmicrosoft.com", - "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", + "CorrelationId": "622b339f-4000-a000-f25f-92b3478c7a25", "CreationTime": "2020-02-07T16:43:53", "CustomUniqueId": true, - "CorrelationId": "622b339f-4000-a000-f25f-92b3478c7a25", + "EventSource": "SharePoint", + "ItemType": "Page", "ListItemUniqueId": "59a8433d-9bb8-cfef-6edc-4c0fc8b86875", - "UserType": "0" + "ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx", + "RecordType": "4", + "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "i:0h.f|membership|1003200096971f55@live.com", + "UserType": "0", + "Version": "1", + "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30" } }, - "@timestamp": "2020-02-07T16:43:53.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:50:26.735961955Z", - "original": "{\"ClientIP\":\"67.43.156.15\",\"CorrelationId\":\"622b339f-4000-a000-f25f-92b3478c7a25\",\"CreationTime\":\"2020-02-07T16:43:53\",\"CustomUniqueId\":true,\"EventSource\":\"SharePoint\",\"Id\":\"99d005e6-a4c6-46fd-117c-08d7abeceab5\",\"ItemType\":\"Page\",\"ListItemUniqueId\":\"59a8433d-9bb8-cfef-6edc-4c0fc8b86875\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx\",\"Operation\":\"PageViewed\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":4,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", - "code": "SharePoint", - "provider": "OneDrive", - "kind": "event", - "action": "PageViewed", - "id": "99d005e6-a4c6-46fd-117c-08d7abeceab5", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", + "domain": "testsiem.onmicrosoft.com", "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr" }, "user_agent": { + "device": { + "name": "Mac" + }, "name": "Firefox", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "os": { + "full": "Mac OS X 10.14", "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" + "version": "10.14" }, "version": "72.0." } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-07T16:43:53.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "PageViewed", + "category": [ + "web" + ], + "code": "SharePoint", + "id": "99d005e6-a4c6-46fd-117c-08d7abeceab5", + "kind": "event", + "original": "{\"ClientIP\":\"67.43.156.15\",\"CorrelationId\":\"622b339f-4000-a000-f25f-92b3478c7a25\",\"CreationTime\":\"2020-02-07T16:43:53\",\"CustomUniqueId\":true,\"EventSource\":\"SharePoint\",\"Id\":\"99d005e6-a4c6-46fd-117c-08d7abeceab5\",\"ItemType\":\"Page\",\"ListItemUniqueId\":\"59a8433d-9bb8-cfef-6edc-4c0fc8b86875\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx\",\"Operation\":\"PageViewed\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":4,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", + "outcome": "success", + "provider": "OneDrive", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", - "ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx", - "ItemType": "Page", - "UserKey": "i:0h.f|membership|1003200096971f55@live.com", - "EventSource": "SharePoint", - "RecordType": "4", - "Version": "1", - "UserId": "asr@testsiem.onmicrosoft.com", - "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", + "CorrelationId": "622b339f-4000-a000-f25f-92b3478c7a25", "CreationTime": "2020-02-07T16:43:53", "CustomUniqueId": true, - "CorrelationId": "622b339f-4000-a000-f25f-92b3478c7a25", + "EventSource": "SharePoint", + "ItemType": "Page", "ListItemUniqueId": "59a8433d-9bb8-cfef-6edc-4c0fc8b86875", - "UserType": "0" + "ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx", + "RecordType": "4", + "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "i:0h.f|membership|1003200096971f55@live.com", + "UserType": "0", + "Version": "1", + "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30" } }, - "@timestamp": "2020-02-07T16:43:53.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:50:26.735964665Z", - "original": "{\"ClientIP\":\"67.43.156.15\",\"CorrelationId\":\"622b339f-4000-a000-f25f-92b3478c7a25\",\"CreationTime\":\"2020-02-07T16:43:53\",\"CustomUniqueId\":true,\"EventSource\":\"SharePoint\",\"Id\":\"99d005e6-a4c6-46fd-117c-08d7abeceab5\",\"ItemType\":\"Page\",\"ListItemUniqueId\":\"59a8433d-9bb8-cfef-6edc-4c0fc8b86875\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx\",\"Operation\":\"PageViewed\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":4,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", - "code": "SharePoint", - "provider": "OneDrive", - "kind": "event", - "action": "PageViewed", - "id": "99d005e6-a4c6-46fd-117c-08d7abeceab5", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", + "domain": "testsiem.onmicrosoft.com", "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr" }, "user_agent": { + "device": { + "name": "Mac" + }, "name": "Firefox", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "os": { + "full": "Mac OS X 10.14", "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" + "version": "10.14" }, "version": "72.0." } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-07T16:43:53.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "PageViewed", + "category": [ + "web" + ], + "code": "SharePoint", + "id": "99d005e6-a4c6-46fd-117c-08d7abeceab5", + "kind": "event", + "original": "{\"ClientIP\":\"67.43.156.15\",\"CorrelationId\":\"622b339f-4000-a000-f25f-92b3478c7a25\",\"CreationTime\":\"2020-02-07T16:43:53\",\"CustomUniqueId\":true,\"EventSource\":\"SharePoint\",\"Id\":\"99d005e6-a4c6-46fd-117c-08d7abeceab5\",\"ItemType\":\"Page\",\"ListItemUniqueId\":\"59a8433d-9bb8-cfef-6edc-4c0fc8b86875\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx\",\"Operation\":\"PageViewed\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":4,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", + "outcome": "success", + "provider": "OneDrive", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", - "ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx", - "ItemType": "Page", - "UserKey": "i:0h.f|membership|1003200096971f55@live.com", - "EventSource": "SharePoint", - "RecordType": "4", - "Version": "1", - "UserId": "asr@testsiem.onmicrosoft.com", - "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", + "CorrelationId": "622b339f-4000-a000-f25f-92b3478c7a25", "CreationTime": "2020-02-07T16:43:53", "CustomUniqueId": true, - "CorrelationId": "622b339f-4000-a000-f25f-92b3478c7a25", + "EventSource": "SharePoint", + "ItemType": "Page", "ListItemUniqueId": "59a8433d-9bb8-cfef-6edc-4c0fc8b86875", - "UserType": "0" + "ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx", + "RecordType": "4", + "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "i:0h.f|membership|1003200096971f55@live.com", + "UserType": "0", + "Version": "1", + "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30" } }, - "@timestamp": "2020-02-07T16:43:53.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:50:26.735965665Z", - "original": "{\"ClientIP\":\"67.43.156.15\",\"CorrelationId\":\"622b339f-4000-a000-f25f-92b3478c7a25\",\"CreationTime\":\"2020-02-07T16:43:53\",\"CustomUniqueId\":true,\"EventSource\":\"SharePoint\",\"Id\":\"99d005e6-a4c6-46fd-117c-08d7abeceab5\",\"ItemType\":\"Page\",\"ListItemUniqueId\":\"59a8433d-9bb8-cfef-6edc-4c0fc8b86875\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx\",\"Operation\":\"PageViewed\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":4,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", - "code": "SharePoint", - "provider": "OneDrive", - "kind": "event", - "action": "PageViewed", - "id": "99d005e6-a4c6-46fd-117c-08d7abeceab5", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", + "domain": "testsiem.onmicrosoft.com", "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr" }, "user_agent": { + "device": { + "name": "Mac" + }, "name": "Firefox", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "os": { + "full": "Mac OS X 10.14", "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" + "version": "10.14" }, "version": "72.0." } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-07T16:43:53.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "PageViewed", + "category": [ + "web" + ], + "code": "SharePoint", + "id": "99d005e6-a4c6-46fd-117c-08d7abeceab5", + "kind": "event", + "original": "{\"ClientIP\":\"67.43.156.15\",\"CorrelationId\":\"622b339f-4000-a000-f25f-92b3478c7a25\",\"CreationTime\":\"2020-02-07T16:43:53\",\"CustomUniqueId\":true,\"EventSource\":\"SharePoint\",\"Id\":\"99d005e6-a4c6-46fd-117c-08d7abeceab5\",\"ItemType\":\"Page\",\"ListItemUniqueId\":\"59a8433d-9bb8-cfef-6edc-4c0fc8b86875\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx\",\"Operation\":\"PageViewed\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":4,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", + "outcome": "success", + "provider": "OneDrive", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", - "ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx", - "ItemType": "Page", - "UserKey": "i:0h.f|membership|1003200096971f55@live.com", - "EventSource": "SharePoint", - "RecordType": "4", - "Version": "1", - "UserId": "asr@testsiem.onmicrosoft.com", - "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", + "CorrelationId": "622b339f-4000-a000-f25f-92b3478c7a25", "CreationTime": "2020-02-07T16:43:53", "CustomUniqueId": true, - "CorrelationId": "622b339f-4000-a000-f25f-92b3478c7a25", + "EventSource": "SharePoint", + "ItemType": "Page", "ListItemUniqueId": "59a8433d-9bb8-cfef-6edc-4c0fc8b86875", - "UserType": "0" + "ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx", + "RecordType": "4", + "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", + "UserId": "asr@testsiem.onmicrosoft.com", + "UserKey": "i:0h.f|membership|1003200096971f55@live.com", + "UserType": "0", + "Version": "1", + "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30" } }, - "@timestamp": "2020-02-07T16:43:53.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:50:26.735966535Z", - "original": "{\"ClientIP\":\"67.43.156.15\",\"CorrelationId\":\"622b339f-4000-a000-f25f-92b3478c7a25\",\"CreationTime\":\"2020-02-07T16:43:53\",\"CustomUniqueId\":true,\"EventSource\":\"SharePoint\",\"Id\":\"99d005e6-a4c6-46fd-117c-08d7abeceab5\",\"ItemType\":\"Page\",\"ListItemUniqueId\":\"59a8433d-9bb8-cfef-6edc-4c0fc8b86875\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx\",\"Operation\":\"PageViewed\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":4,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", - "code": "SharePoint", - "provider": "OneDrive", - "kind": "event", - "action": "PageViewed", - "id": "99d005e6-a4c6-46fd-117c-08d7abeceab5", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", + "domain": "testsiem.onmicrosoft.com", "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr" }, "user_agent": { + "device": { + "name": "Mac" + }, "name": "Firefox", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "os": { + "full": "Mac OS X 10.14", "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" + "version": "10.14" }, "version": "72.0." } diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-sharepointfileop-events.json-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-sharepointfileop-events.json-expected.json index acd5eeab855..a0a42f778ab 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-sharepointfileop-events.json-expected.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-sharepointfileop-events.json-expected.json @@ -1,1213 +1,1070 @@ { "expected": [ { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-07T16:44:07.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "url": { - "original": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot 2020-01-27 at 11.30.48.png" + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "FileDeleted", + "category": [ + "web", + "file" + ], + "code": "SharePointFileOperation", + "id": "ec04aa09-0a43-4879-cdc8-08d7abecf327", + "kind": "event", + "original": "{\"ClientIP\":\"67.43.156.15\",\"CorrelationId\":\"652b339f-908c-a000-f25f-91423da7dd9b\",\"CreationTime\":\"2020-02-07T16:44:07\",\"EventSource\":\"SharePoint\",\"Id\":\"ec04aa09-0a43-4879-cdc8-08d7abecf327\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"4803608a-df7d-4f63-aa73-67aa33bb576e\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot 2020-01-27 at 11.30.48.png\",\"Operation\":\"FileDeleted\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":6,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot 2020-01-27 at 11.30.48.png\",\"SourceRelativeUrl\":\"Documents\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", + "outcome": "success", + "provider": "OneDrive", + "type": [ + "info", + "deletion" + ] + }, + "file": { + "directory": "Documents", + "extension": "png", + "name": "Screenshot 2020-01-27 at 11.30.48.png" + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, - "tags": [ - "preserve_original_event" - ], "network": { "type": "ipv4" }, "o365": { "audit": { - "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", - "ItemType": "File", - "UserKey": "i:0h.f|membership|1003200096971f55@live.com", - "SiteUrl": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/", + "CorrelationId": "652b339f-908c-a000-f25f-91423da7dd9b", + "CreationTime": "2020-02-07T16:44:07", "EventSource": "SharePoint", + "ItemType": "File", "ListId": "2b6ad2bd-0fd7-4556-9c89-a97847085b85", + "ListItemUniqueId": "4803608a-df7d-4f63-aa73-67aa33bb576e", "RecordType": "6", - "Version": "1", + "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", + "SiteUrl": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/", "UserId": "asr@testsiem.onmicrosoft.com", - "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", - "CreationTime": "2020-02-07T16:44:07", - "CorrelationId": "652b339f-908c-a000-f25f-91423da7dd9b", - "ListItemUniqueId": "4803608a-df7d-4f63-aa73-67aa33bb576e", - "UserType": "0" + "UserKey": "i:0h.f|membership|1003200096971f55@live.com", + "UserType": "0", + "Version": "1", + "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30" } }, - "@timestamp": "2020-02-07T16:44:07.000Z", - "file": { - "name": "Screenshot 2020-01-27 at 11.30.48.png", - "directory": "Documents", - "extension": "png" - }, - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:50:29.194855690Z", - "original": "{\"ClientIP\":\"67.43.156.15\",\"CorrelationId\":\"652b339f-908c-a000-f25f-91423da7dd9b\",\"CreationTime\":\"2020-02-07T16:44:07\",\"EventSource\":\"SharePoint\",\"Id\":\"ec04aa09-0a43-4879-cdc8-08d7abecf327\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"4803608a-df7d-4f63-aa73-67aa33bb576e\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot 2020-01-27 at 11.30.48.png\",\"Operation\":\"FileDeleted\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":6,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot 2020-01-27 at 11.30.48.png\",\"SourceRelativeUrl\":\"Documents\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", - "code": "SharePointFileOperation", - "provider": "OneDrive", - "kind": "event", - "action": "FileDeleted", - "id": "ec04aa09-0a43-4879-cdc8-08d7abecf327", - "type": [ - "info", - "deletion" - ], - "category": [ - "web", - "file" - ], - "outcome": "success" + "tags": [ + "preserve_original_event" + ], + "url": { + "original": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot 2020-01-27 at 11.30.48.png" }, "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", + "domain": "testsiem.onmicrosoft.com", "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr" }, "user_agent": { + "device": { + "name": "Mac" + }, "name": "Firefox", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "os": { + "full": "Mac OS X 10.14", "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" + "version": "10.14" }, "version": "72.0." } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-07T16:44:07.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "url": { - "original": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot 2020-01-27 at 11.30.48.png" + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "FileDeleted", + "category": [ + "web", + "file" + ], + "code": "SharePointFileOperation", + "id": "ec04aa09-0a43-4879-cdc8-08d7abecf327", + "kind": "event", + "original": "{\"ClientIP\":\"67.43.156.15\",\"CorrelationId\":\"652b339f-908c-a000-f25f-91423da7dd9b\",\"CreationTime\":\"2020-02-07T16:44:07\",\"EventSource\":\"SharePoint\",\"Id\":\"ec04aa09-0a43-4879-cdc8-08d7abecf327\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"4803608a-df7d-4f63-aa73-67aa33bb576e\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot 2020-01-27 at 11.30.48.png\",\"Operation\":\"FileDeleted\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":6,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot 2020-01-27 at 11.30.48.png\",\"SourceRelativeUrl\":\"Documents\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", + "outcome": "success", + "provider": "OneDrive", + "type": [ + "info", + "deletion" + ] + }, + "file": { + "directory": "Documents", + "extension": "png", + "name": "Screenshot 2020-01-27 at 11.30.48.png" + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, - "tags": [ - "preserve_original_event" - ], "network": { "type": "ipv4" }, "o365": { "audit": { - "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", - "ItemType": "File", - "UserKey": "i:0h.f|membership|1003200096971f55@live.com", - "SiteUrl": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/", + "CorrelationId": "652b339f-908c-a000-f25f-91423da7dd9b", + "CreationTime": "2020-02-07T16:44:07", "EventSource": "SharePoint", + "ItemType": "File", "ListId": "2b6ad2bd-0fd7-4556-9c89-a97847085b85", + "ListItemUniqueId": "4803608a-df7d-4f63-aa73-67aa33bb576e", "RecordType": "6", - "Version": "1", + "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", + "SiteUrl": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/", "UserId": "asr@testsiem.onmicrosoft.com", - "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", - "CreationTime": "2020-02-07T16:44:07", - "CorrelationId": "652b339f-908c-a000-f25f-91423da7dd9b", - "ListItemUniqueId": "4803608a-df7d-4f63-aa73-67aa33bb576e", - "UserType": "0" + "UserKey": "i:0h.f|membership|1003200096971f55@live.com", + "UserType": "0", + "Version": "1", + "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30" } }, - "@timestamp": "2020-02-07T16:44:07.000Z", - "file": { - "name": "Screenshot 2020-01-27 at 11.30.48.png", - "directory": "Documents", - "extension": "png" - }, - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:50:29.194858761Z", - "original": "{\"ClientIP\":\"67.43.156.15\",\"CorrelationId\":\"652b339f-908c-a000-f25f-91423da7dd9b\",\"CreationTime\":\"2020-02-07T16:44:07\",\"EventSource\":\"SharePoint\",\"Id\":\"ec04aa09-0a43-4879-cdc8-08d7abecf327\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"4803608a-df7d-4f63-aa73-67aa33bb576e\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot 2020-01-27 at 11.30.48.png\",\"Operation\":\"FileDeleted\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":6,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot 2020-01-27 at 11.30.48.png\",\"SourceRelativeUrl\":\"Documents\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", - "code": "SharePointFileOperation", - "provider": "OneDrive", - "kind": "event", - "action": "FileDeleted", - "id": "ec04aa09-0a43-4879-cdc8-08d7abecf327", - "type": [ - "info", - "deletion" - ], - "category": [ - "web", - "file" - ], - "outcome": "success" + "tags": [ + "preserve_original_event" + ], + "url": { + "original": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot 2020-01-27 at 11.30.48.png" }, "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", + "domain": "testsiem.onmicrosoft.com", "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr" }, "user_agent": { + "device": { + "name": "Mac" + }, "name": "Firefox", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "os": { + "full": "Mac OS X 10.14", "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" + "version": "10.14" }, "version": "72.0." } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-07T16:44:08.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "url": { - "original": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Forms/All.aspx" + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "FileAccessed", + "category": [ + "web", + "file" + ], + "code": "SharePointFileOperation", + "id": "25b08f04-48ee-4755-ce22-08d7abecf3a9", + "kind": "event", + "original": "{\"ClientIP\":\"67.43.156.15\",\"CorrelationId\":\"652b339f-90a0-a000-f25f-919afc141eb1\",\"CreationTime\":\"2020-02-07T16:44:08\",\"EventSource\":\"SharePoint\",\"Id\":\"25b08f04-48ee-4755-ce22-08d7abecf3a9\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"ff3631c1-6189-45c7-ad45-c15cea9e9255\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Forms/All.aspx\",\"Operation\":\"FileAccessed\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":6,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\",\"SourceFileExtension\":\"aspx\",\"SourceFileName\":\"All.aspx\",\"SourceRelativeUrl\":\"Documents/Forms\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", + "outcome": "success", + "provider": "OneDrive", + "type": [ + "info", + "access" + ] + }, + "file": { + "directory": "Documents/Forms", + "extension": "aspx", + "name": "All.aspx" + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, - "tags": [ - "preserve_original_event" - ], "network": { "type": "ipv4" }, "o365": { "audit": { - "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", - "ItemType": "File", - "UserKey": "i:0h.f|membership|1003200096971f55@live.com", - "SiteUrl": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/", + "CorrelationId": "652b339f-90a0-a000-f25f-919afc141eb1", + "CreationTime": "2020-02-07T16:44:08", "EventSource": "SharePoint", + "ItemType": "File", "ListId": "2b6ad2bd-0fd7-4556-9c89-a97847085b85", + "ListItemUniqueId": "ff3631c1-6189-45c7-ad45-c15cea9e9255", "RecordType": "6", - "Version": "1", + "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", + "SiteUrl": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/", "UserId": "asr@testsiem.onmicrosoft.com", - "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", - "CreationTime": "2020-02-07T16:44:08", - "CorrelationId": "652b339f-90a0-a000-f25f-919afc141eb1", - "ListItemUniqueId": "ff3631c1-6189-45c7-ad45-c15cea9e9255", - "UserType": "0" + "UserKey": "i:0h.f|membership|1003200096971f55@live.com", + "UserType": "0", + "Version": "1", + "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30" } }, - "@timestamp": "2020-02-07T16:44:08.000Z", - "file": { - "name": "All.aspx", - "directory": "Documents/Forms", - "extension": "aspx" - }, - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:50:29.194859926Z", - "original": "{\"ClientIP\":\"67.43.156.15\",\"CorrelationId\":\"652b339f-90a0-a000-f25f-919afc141eb1\",\"CreationTime\":\"2020-02-07T16:44:08\",\"EventSource\":\"SharePoint\",\"Id\":\"25b08f04-48ee-4755-ce22-08d7abecf3a9\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"ff3631c1-6189-45c7-ad45-c15cea9e9255\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Forms/All.aspx\",\"Operation\":\"FileAccessed\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":6,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\",\"SourceFileExtension\":\"aspx\",\"SourceFileName\":\"All.aspx\",\"SourceRelativeUrl\":\"Documents/Forms\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", - "code": "SharePointFileOperation", - "provider": "OneDrive", - "kind": "event", - "action": "FileAccessed", - "id": "25b08f04-48ee-4755-ce22-08d7abecf3a9", - "type": [ - "info", - "access" - ], - "category": [ - "web", - "file" - ], - "outcome": "success" + "tags": [ + "preserve_original_event" + ], + "url": { + "original": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Forms/All.aspx" }, "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", + "domain": "testsiem.onmicrosoft.com", "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr" }, "user_agent": { + "device": { + "name": "Mac" + }, "name": "Firefox", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "os": { + "full": "Mac OS X 10.14", "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" + "version": "10.14" }, "version": "72.0." } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-07T16:44:08.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "url": { - "original": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Forms/All.aspx" + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "FileAccessed", + "category": [ + "web", + "file" + ], + "code": "SharePointFileOperation", + "id": "25b08f04-48ee-4755-ce22-08d7abecf3a9", + "kind": "event", + "original": "{\"ClientIP\":\"67.43.156.15\",\"CorrelationId\":\"652b339f-90a0-a000-f25f-919afc141eb1\",\"CreationTime\":\"2020-02-07T16:44:08\",\"EventSource\":\"SharePoint\",\"Id\":\"25b08f04-48ee-4755-ce22-08d7abecf3a9\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"ff3631c1-6189-45c7-ad45-c15cea9e9255\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Forms/All.aspx\",\"Operation\":\"FileAccessed\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":6,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\",\"SourceFileExtension\":\"aspx\",\"SourceFileName\":\"All.aspx\",\"SourceRelativeUrl\":\"Documents/Forms\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", + "outcome": "success", + "provider": "OneDrive", + "type": [ + "info", + "access" + ] + }, + "file": { + "directory": "Documents/Forms", + "extension": "aspx", + "name": "All.aspx" + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, - "tags": [ - "preserve_original_event" - ], "network": { "type": "ipv4" }, "o365": { "audit": { - "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", - "ItemType": "File", - "UserKey": "i:0h.f|membership|1003200096971f55@live.com", - "SiteUrl": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/", + "CorrelationId": "652b339f-90a0-a000-f25f-919afc141eb1", + "CreationTime": "2020-02-07T16:44:08", "EventSource": "SharePoint", + "ItemType": "File", "ListId": "2b6ad2bd-0fd7-4556-9c89-a97847085b85", + "ListItemUniqueId": "ff3631c1-6189-45c7-ad45-c15cea9e9255", "RecordType": "6", - "Version": "1", + "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", + "SiteUrl": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/", "UserId": "asr@testsiem.onmicrosoft.com", - "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", - "CreationTime": "2020-02-07T16:44:08", - "CorrelationId": "652b339f-90a0-a000-f25f-919afc141eb1", - "ListItemUniqueId": "ff3631c1-6189-45c7-ad45-c15cea9e9255", - "UserType": "0" + "UserKey": "i:0h.f|membership|1003200096971f55@live.com", + "UserType": "0", + "Version": "1", + "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30" } }, - "@timestamp": "2020-02-07T16:44:08.000Z", - "file": { - "name": "All.aspx", - "directory": "Documents/Forms", - "extension": "aspx" - }, - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:50:29.194860980Z", - "original": "{\"ClientIP\":\"67.43.156.15\",\"CorrelationId\":\"652b339f-90a0-a000-f25f-919afc141eb1\",\"CreationTime\":\"2020-02-07T16:44:08\",\"EventSource\":\"SharePoint\",\"Id\":\"25b08f04-48ee-4755-ce22-08d7abecf3a9\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"ff3631c1-6189-45c7-ad45-c15cea9e9255\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Forms/All.aspx\",\"Operation\":\"FileAccessed\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":6,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\",\"SourceFileExtension\":\"aspx\",\"SourceFileName\":\"All.aspx\",\"SourceRelativeUrl\":\"Documents/Forms\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", - "code": "SharePointFileOperation", - "provider": "OneDrive", - "kind": "event", - "action": "FileAccessed", - "id": "25b08f04-48ee-4755-ce22-08d7abecf3a9", - "type": [ - "info", - "access" - ], - "category": [ - "web", - "file" - ], - "outcome": "success" + "tags": [ + "preserve_original_event" + ], + "url": { + "original": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Forms/All.aspx" }, "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", + "domain": "testsiem.onmicrosoft.com", "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr" }, "user_agent": { + "device": { + "name": "Mac" + }, "name": "Firefox", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "os": { + "full": "Mac OS X 10.14", "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" + "version": "10.14" }, "version": "72.0." } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-07T16:44:21.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "url": { - "original": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png" + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "FileUploaded", + "category": [ + "web", + "file" + ], + "code": "SharePointFileOperation", + "id": "dac93a9f-f2fb-4cac-d18f-08d7abecfbb6", + "kind": "event", + "original": "{\"ClientIP\":\"67.43.156.15\",\"CorrelationId\":\"692b339f-c016-a000-f25f-990a07b2e011\",\"CreationTime\":\"2020-02-07T16:44:21\",\"EventSource\":\"SharePoint\",\"Id\":\"dac93a9f-f2fb-4cac-d18f-08d7abecfbb6\",\"ImplicitShare\":\"No\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\",\"Operation\":\"FileUploaded\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":6,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot.png\",\"SourceRelativeUrl\":\"Documents\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", + "outcome": "success", + "provider": "OneDrive", + "type": [ + "info", + "creation" + ] + }, + "file": { + "directory": "Documents", + "extension": "png", + "name": "Screenshot.png" + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, - "tags": [ - "preserve_original_event" - ], "network": { "type": "ipv4" }, "o365": { "audit": { - "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", - "ItemType": "File", - "UserKey": "i:0h.f|membership|1003200096971f55@live.com", - "ImplicitShare": "No", - "SiteUrl": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/", + "CorrelationId": "692b339f-c016-a000-f25f-990a07b2e011", + "CreationTime": "2020-02-07T16:44:21", "EventSource": "SharePoint", + "ImplicitShare": "No", + "ItemType": "File", "ListId": "2b6ad2bd-0fd7-4556-9c89-a97847085b85", + "ListItemUniqueId": "7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8", "RecordType": "6", - "Version": "1", - "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", + "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", + "SiteUrl": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/", "UserId": "asr@testsiem.onmicrosoft.com", - "CreationTime": "2020-02-07T16:44:21", - "CorrelationId": "692b339f-c016-a000-f25f-990a07b2e011", - "ListItemUniqueId": "7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8", - "UserType": "0" + "UserKey": "i:0h.f|membership|1003200096971f55@live.com", + "UserType": "0", + "Version": "1", + "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30" } }, - "@timestamp": "2020-02-07T16:44:21.000Z", - "file": { - "name": "Screenshot.png", - "directory": "Documents", - "extension": "png" - }, - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:50:29.194861994Z", - "original": "{\"ClientIP\":\"67.43.156.15\",\"CorrelationId\":\"692b339f-c016-a000-f25f-990a07b2e011\",\"CreationTime\":\"2020-02-07T16:44:21\",\"EventSource\":\"SharePoint\",\"Id\":\"dac93a9f-f2fb-4cac-d18f-08d7abecfbb6\",\"ImplicitShare\":\"No\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\",\"Operation\":\"FileUploaded\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":6,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot.png\",\"SourceRelativeUrl\":\"Documents\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", - "code": "SharePointFileOperation", - "provider": "OneDrive", - "kind": "event", - "action": "FileUploaded", - "id": "dac93a9f-f2fb-4cac-d18f-08d7abecfbb6", - "type": [ - "info", - "creation" - ], - "category": [ - "web", - "file" - ], - "outcome": "success" + "tags": [ + "preserve_original_event" + ], + "url": { + "original": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png" }, "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", + "domain": "testsiem.onmicrosoft.com", "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr" }, "user_agent": { + "device": { + "name": "Mac" + }, "name": "Firefox", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "os": { + "full": "Mac OS X 10.14", "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" + "version": "10.14" }, "version": "72.0." } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-07T16:44:23.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "url": { - "original": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png" + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "FileModified", + "category": [ + "web", + "file" + ], + "code": "SharePointFileOperation", + "id": "5b02fadb-8eac-4aff-af87-08d7abecfca3", + "kind": "event", + "original": "{\"ClientIP\":\"67.43.156.15\",\"CorrelationId\":\"692b339f-902e-a000-f25f-95def5f17903\",\"CreationTime\":\"2020-02-07T16:44:23\",\"EventSource\":\"SharePoint\",\"Id\":\"5b02fadb-8eac-4aff-af87-08d7abecfca3\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\",\"Operation\":\"FileModified\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":6,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot.png\",\"SourceRelativeUrl\":\"Documents\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", + "outcome": "success", + "provider": "OneDrive", + "type": [ + "info", + "change" + ] + }, + "file": { + "directory": "Documents", + "extension": "png", + "name": "Screenshot.png" + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, - "tags": [ - "preserve_original_event" - ], "network": { "type": "ipv4" }, "o365": { "audit": { - "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", - "ItemType": "File", - "UserKey": "i:0h.f|membership|1003200096971f55@live.com", - "SiteUrl": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/", + "CorrelationId": "692b339f-902e-a000-f25f-95def5f17903", + "CreationTime": "2020-02-07T16:44:23", "EventSource": "SharePoint", + "ItemType": "File", "ListId": "2b6ad2bd-0fd7-4556-9c89-a97847085b85", + "ListItemUniqueId": "7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8", "RecordType": "6", - "Version": "1", + "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", + "SiteUrl": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/", "UserId": "asr@testsiem.onmicrosoft.com", - "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", - "CreationTime": "2020-02-07T16:44:23", - "CorrelationId": "692b339f-902e-a000-f25f-95def5f17903", - "ListItemUniqueId": "7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8", - "UserType": "0" + "UserKey": "i:0h.f|membership|1003200096971f55@live.com", + "UserType": "0", + "Version": "1", + "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30" } }, - "@timestamp": "2020-02-07T16:44:23.000Z", - "file": { - "name": "Screenshot.png", - "directory": "Documents", - "extension": "png" - }, - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" - ] - }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", - "ip": "67.43.156.15" - }, - "event": { - "ingested": "2022-01-02T03:50:29.194862999Z", - "original": "{\"ClientIP\":\"67.43.156.15\",\"CorrelationId\":\"692b339f-902e-a000-f25f-95def5f17903\",\"CreationTime\":\"2020-02-07T16:44:23\",\"EventSource\":\"SharePoint\",\"Id\":\"5b02fadb-8eac-4aff-af87-08d7abecfca3\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\",\"Operation\":\"FileModified\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":6,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot.png\",\"SourceRelativeUrl\":\"Documents\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", - "code": "SharePointFileOperation", - "provider": "OneDrive", - "kind": "event", - "action": "FileModified", - "id": "5b02fadb-8eac-4aff-af87-08d7abecfca3", - "type": [ - "info", - "change" - ], - "category": [ - "web", - "file" ], - "outcome": "success" + "user": [ + "asr" + ] + }, + "source": { + "ip": "67.43.156.15" + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "original": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png" }, "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", + "domain": "testsiem.onmicrosoft.com", "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr" }, "user_agent": { + "device": { + "name": "Mac" + }, "name": "Firefox", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "os": { + "full": "Mac OS X 10.14", "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" + "version": "10.14" }, "version": "72.0." } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-07T16:44:07.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "url": { - "original": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot 2020-01-27 at 11.30.48.png" + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "FileDeleted", + "category": [ + "web", + "file" + ], + "code": "SharePointFileOperation", + "id": "ec04aa09-0a43-4879-cdc8-08d7abecf327", + "kind": "event", + "original": "{\"ClientIP\":\"67.43.156.15\",\"CorrelationId\":\"652b339f-908c-a000-f25f-91423da7dd9b\",\"CreationTime\":\"2020-02-07T16:44:07\",\"EventSource\":\"SharePoint\",\"Id\":\"ec04aa09-0a43-4879-cdc8-08d7abecf327\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"4803608a-df7d-4f63-aa73-67aa33bb576e\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot 2020-01-27 at 11.30.48.png\",\"Operation\":\"FileDeleted\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":6,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot 2020-01-27 at 11.30.48.png\",\"SourceRelativeUrl\":\"Documents\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", + "outcome": "success", + "provider": "OneDrive", + "type": [ + "info", + "deletion" + ] + }, + "file": { + "directory": "Documents", + "extension": "png", + "name": "Screenshot 2020-01-27 at 11.30.48.png" + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, - "tags": [ - "preserve_original_event" - ], "network": { "type": "ipv4" }, "o365": { "audit": { - "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", - "ItemType": "File", - "UserKey": "i:0h.f|membership|1003200096971f55@live.com", - "SiteUrl": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/", + "CorrelationId": "652b339f-908c-a000-f25f-91423da7dd9b", + "CreationTime": "2020-02-07T16:44:07", "EventSource": "SharePoint", + "ItemType": "File", "ListId": "2b6ad2bd-0fd7-4556-9c89-a97847085b85", + "ListItemUniqueId": "4803608a-df7d-4f63-aa73-67aa33bb576e", "RecordType": "6", - "Version": "1", + "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", + "SiteUrl": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/", "UserId": "asr@testsiem.onmicrosoft.com", - "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", - "CreationTime": "2020-02-07T16:44:07", - "CorrelationId": "652b339f-908c-a000-f25f-91423da7dd9b", - "ListItemUniqueId": "4803608a-df7d-4f63-aa73-67aa33bb576e", - "UserType": "0" + "UserKey": "i:0h.f|membership|1003200096971f55@live.com", + "UserType": "0", + "Version": "1", + "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30" } }, - "@timestamp": "2020-02-07T16:44:07.000Z", - "file": { - "name": "Screenshot 2020-01-27 at 11.30.48.png", - "directory": "Documents", - "extension": "png" - }, - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:50:29.194863996Z", - "original": "{\"ClientIP\":\"67.43.156.15\",\"CorrelationId\":\"652b339f-908c-a000-f25f-91423da7dd9b\",\"CreationTime\":\"2020-02-07T16:44:07\",\"EventSource\":\"SharePoint\",\"Id\":\"ec04aa09-0a43-4879-cdc8-08d7abecf327\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"4803608a-df7d-4f63-aa73-67aa33bb576e\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot 2020-01-27 at 11.30.48.png\",\"Operation\":\"FileDeleted\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":6,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot 2020-01-27 at 11.30.48.png\",\"SourceRelativeUrl\":\"Documents\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", - "code": "SharePointFileOperation", - "provider": "OneDrive", - "kind": "event", - "action": "FileDeleted", - "id": "ec04aa09-0a43-4879-cdc8-08d7abecf327", - "type": [ - "info", - "deletion" - ], - "category": [ - "web", - "file" - ], - "outcome": "success" + "tags": [ + "preserve_original_event" + ], + "url": { + "original": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot 2020-01-27 at 11.30.48.png" }, "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", + "domain": "testsiem.onmicrosoft.com", "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr" }, "user_agent": { + "device": { + "name": "Mac" + }, "name": "Firefox", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "os": { + "full": "Mac OS X 10.14", "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" + "version": "10.14" }, "version": "72.0." } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-07T16:44:21.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "url": { - "original": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png" + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "FileUploaded", + "category": [ + "web", + "file" + ], + "code": "SharePointFileOperation", + "id": "dac93a9f-f2fb-4cac-d18f-08d7abecfbb6", + "kind": "event", + "original": "{\"ClientIP\":\"67.43.156.15\",\"CorrelationId\":\"692b339f-c016-a000-f25f-990a07b2e011\",\"CreationTime\":\"2020-02-07T16:44:21\",\"EventSource\":\"SharePoint\",\"Id\":\"dac93a9f-f2fb-4cac-d18f-08d7abecfbb6\",\"ImplicitShare\":\"No\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\",\"Operation\":\"FileUploaded\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":6,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot.png\",\"SourceRelativeUrl\":\"Documents\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", + "outcome": "success", + "provider": "OneDrive", + "type": [ + "info", + "creation" + ] + }, + "file": { + "directory": "Documents", + "extension": "png", + "name": "Screenshot.png" + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, - "tags": [ - "preserve_original_event" - ], "network": { "type": "ipv4" }, "o365": { "audit": { - "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", - "ItemType": "File", - "UserKey": "i:0h.f|membership|1003200096971f55@live.com", - "ImplicitShare": "No", - "SiteUrl": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/", + "CorrelationId": "692b339f-c016-a000-f25f-990a07b2e011", + "CreationTime": "2020-02-07T16:44:21", "EventSource": "SharePoint", + "ImplicitShare": "No", + "ItemType": "File", "ListId": "2b6ad2bd-0fd7-4556-9c89-a97847085b85", + "ListItemUniqueId": "7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8", "RecordType": "6", - "Version": "1", - "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", + "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", + "SiteUrl": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/", "UserId": "asr@testsiem.onmicrosoft.com", - "CreationTime": "2020-02-07T16:44:21", - "CorrelationId": "692b339f-c016-a000-f25f-990a07b2e011", - "ListItemUniqueId": "7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8", - "UserType": "0" + "UserKey": "i:0h.f|membership|1003200096971f55@live.com", + "UserType": "0", + "Version": "1", + "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30" } }, - "@timestamp": "2020-02-07T16:44:21.000Z", - "file": { - "name": "Screenshot.png", - "directory": "Documents", - "extension": "png" - }, - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:50:29.194865031Z", - "original": "{\"ClientIP\":\"67.43.156.15\",\"CorrelationId\":\"692b339f-c016-a000-f25f-990a07b2e011\",\"CreationTime\":\"2020-02-07T16:44:21\",\"EventSource\":\"SharePoint\",\"Id\":\"dac93a9f-f2fb-4cac-d18f-08d7abecfbb6\",\"ImplicitShare\":\"No\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\",\"Operation\":\"FileUploaded\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":6,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot.png\",\"SourceRelativeUrl\":\"Documents\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", - "code": "SharePointFileOperation", - "provider": "OneDrive", - "kind": "event", - "action": "FileUploaded", - "id": "dac93a9f-f2fb-4cac-d18f-08d7abecfbb6", - "type": [ - "info", - "creation" - ], - "category": [ - "web", - "file" - ], - "outcome": "success" + "tags": [ + "preserve_original_event" + ], + "url": { + "original": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png" }, "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", + "domain": "testsiem.onmicrosoft.com", "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr" }, "user_agent": { + "device": { + "name": "Mac" + }, "name": "Firefox", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "os": { + "full": "Mac OS X 10.14", "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" + "version": "10.14" }, "version": "72.0." } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-07T16:44:23.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "url": { - "original": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png" + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "FileModified", + "category": [ + "web", + "file" + ], + "code": "SharePointFileOperation", + "id": "5b02fadb-8eac-4aff-af87-08d7abecfca3", + "kind": "event", + "original": "{\"ClientIP\":\"67.43.156.15\",\"CorrelationId\":\"692b339f-902e-a000-f25f-95def5f17903\",\"CreationTime\":\"2020-02-07T16:44:23\",\"EventSource\":\"SharePoint\",\"Id\":\"5b02fadb-8eac-4aff-af87-08d7abecfca3\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\",\"Operation\":\"FileModified\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":6,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot.png\",\"SourceRelativeUrl\":\"Documents\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", + "outcome": "success", + "provider": "OneDrive", + "type": [ + "info", + "change" + ] + }, + "file": { + "directory": "Documents", + "extension": "png", + "name": "Screenshot.png" + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, - "tags": [ - "preserve_original_event" - ], "network": { "type": "ipv4" }, "o365": { "audit": { - "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", - "ItemType": "File", - "UserKey": "i:0h.f|membership|1003200096971f55@live.com", - "SiteUrl": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/", + "CorrelationId": "692b339f-902e-a000-f25f-95def5f17903", + "CreationTime": "2020-02-07T16:44:23", "EventSource": "SharePoint", + "ItemType": "File", "ListId": "2b6ad2bd-0fd7-4556-9c89-a97847085b85", + "ListItemUniqueId": "7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8", "RecordType": "6", - "Version": "1", + "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", + "SiteUrl": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/", "UserId": "asr@testsiem.onmicrosoft.com", - "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", - "CreationTime": "2020-02-07T16:44:23", - "CorrelationId": "692b339f-902e-a000-f25f-95def5f17903", - "ListItemUniqueId": "7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8", - "UserType": "0" + "UserKey": "i:0h.f|membership|1003200096971f55@live.com", + "UserType": "0", + "Version": "1", + "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30" } }, - "@timestamp": "2020-02-07T16:44:23.000Z", - "file": { - "name": "Screenshot.png", - "directory": "Documents", - "extension": "png" - }, - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:50:29.194866037Z", - "original": "{\"ClientIP\":\"67.43.156.15\",\"CorrelationId\":\"692b339f-902e-a000-f25f-95def5f17903\",\"CreationTime\":\"2020-02-07T16:44:23\",\"EventSource\":\"SharePoint\",\"Id\":\"5b02fadb-8eac-4aff-af87-08d7abecfca3\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\",\"Operation\":\"FileModified\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":6,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot.png\",\"SourceRelativeUrl\":\"Documents\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", - "code": "SharePointFileOperation", - "provider": "OneDrive", - "kind": "event", - "action": "FileModified", - "id": "5b02fadb-8eac-4aff-af87-08d7abecfca3", - "type": [ - "info", - "change" - ], - "category": [ - "web", - "file" - ], - "outcome": "success" + "tags": [ + "preserve_original_event" + ], + "url": { + "original": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png" }, "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", + "domain": "testsiem.onmicrosoft.com", "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr" }, "user_agent": { + "device": { + "name": "Mac" + }, "name": "Firefox", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "os": { + "full": "Mac OS X 10.14", "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" + "version": "10.14" }, "version": "72.0." } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-07T16:44:23.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "url": { - "original": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png" + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "FileModified", + "category": [ + "web", + "file" + ], + "code": "SharePointFileOperation", + "id": "5b02fadb-8eac-4aff-af87-08d7abecfca3", + "kind": "event", + "original": "{\"ClientIP\":\"67.43.156.15\",\"CorrelationId\":\"692b339f-902e-a000-f25f-95def5f17903\",\"CreationTime\":\"2020-02-07T16:44:23\",\"EventSource\":\"SharePoint\",\"Id\":\"5b02fadb-8eac-4aff-af87-08d7abecfca3\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\",\"Operation\":\"FileModified\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":6,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot.png\",\"SourceRelativeUrl\":\"Documents\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", + "outcome": "success", + "provider": "OneDrive", + "type": [ + "info", + "change" + ] + }, + "file": { + "directory": "Documents", + "extension": "png", + "name": "Screenshot.png" + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, - "tags": [ - "preserve_original_event" - ], "network": { "type": "ipv4" }, "o365": { "audit": { - "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", - "ItemType": "File", - "UserKey": "i:0h.f|membership|1003200096971f55@live.com", - "SiteUrl": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/", + "CorrelationId": "692b339f-902e-a000-f25f-95def5f17903", + "CreationTime": "2020-02-07T16:44:23", "EventSource": "SharePoint", + "ItemType": "File", "ListId": "2b6ad2bd-0fd7-4556-9c89-a97847085b85", + "ListItemUniqueId": "7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8", "RecordType": "6", - "Version": "1", + "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", + "SiteUrl": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/", "UserId": "asr@testsiem.onmicrosoft.com", - "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", - "CreationTime": "2020-02-07T16:44:23", - "CorrelationId": "692b339f-902e-a000-f25f-95def5f17903", - "ListItemUniqueId": "7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8", - "UserType": "0" + "UserKey": "i:0h.f|membership|1003200096971f55@live.com", + "UserType": "0", + "Version": "1", + "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30" } }, - "@timestamp": "2020-02-07T16:44:23.000Z", - "file": { - "name": "Screenshot.png", - "directory": "Documents", - "extension": "png" - }, - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:50:29.194867053Z", - "original": "{\"ClientIP\":\"67.43.156.15\",\"CorrelationId\":\"692b339f-902e-a000-f25f-95def5f17903\",\"CreationTime\":\"2020-02-07T16:44:23\",\"EventSource\":\"SharePoint\",\"Id\":\"5b02fadb-8eac-4aff-af87-08d7abecfca3\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\",\"Operation\":\"FileModified\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":6,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot.png\",\"SourceRelativeUrl\":\"Documents\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", - "code": "SharePointFileOperation", - "provider": "OneDrive", - "kind": "event", - "action": "FileModified", - "id": "5b02fadb-8eac-4aff-af87-08d7abecfca3", - "type": [ - "info", - "change" - ], - "category": [ - "web", - "file" - ], - "outcome": "success" + "tags": [ + "preserve_original_event" + ], + "url": { + "original": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png" }, "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", + "domain": "testsiem.onmicrosoft.com", "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr" }, "user_agent": { + "device": { + "name": "Mac" + }, "name": "Firefox", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "os": { + "full": "Mac OS X 10.14", "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" + "version": "10.14" }, "version": "72.0." } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-07T16:44:23.000Z", + "client": { + "address": "67.43.156.15", "ip": "67.43.156.15" }, - "url": { - "original": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png" + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "FileModified", + "category": [ + "web", + "file" + ], + "code": "SharePointFileOperation", + "id": "5b02fadb-8eac-4aff-af87-08d7abecfca3", + "kind": "event", + "original": "{\"ClientIP\":\"67.43.156.15\",\"CorrelationId\":\"692b339f-902e-a000-f25f-95def5f17903\",\"CreationTime\":\"2020-02-07T16:44:23\",\"EventSource\":\"SharePoint\",\"Id\":\"5b02fadb-8eac-4aff-af87-08d7abecfca3\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\",\"Operation\":\"FileModified\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":6,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot.png\",\"SourceRelativeUrl\":\"Documents\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", + "outcome": "success", + "provider": "OneDrive", + "type": [ + "info", + "change" + ] + }, + "file": { + "directory": "Documents", + "extension": "png", + "name": "Screenshot.png" + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, - "tags": [ - "preserve_original_event" - ], "network": { "type": "ipv4" }, "o365": { "audit": { - "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", - "ItemType": "File", - "UserKey": "i:0h.f|membership|1003200096971f55@live.com", - "SiteUrl": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/", + "CorrelationId": "692b339f-902e-a000-f25f-95def5f17903", + "CreationTime": "2020-02-07T16:44:23", "EventSource": "SharePoint", + "ItemType": "File", "ListId": "2b6ad2bd-0fd7-4556-9c89-a97847085b85", + "ListItemUniqueId": "7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8", "RecordType": "6", - "Version": "1", + "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", + "SiteUrl": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/", "UserId": "asr@testsiem.onmicrosoft.com", - "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", - "CreationTime": "2020-02-07T16:44:23", - "CorrelationId": "692b339f-902e-a000-f25f-95def5f17903", - "ListItemUniqueId": "7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8", - "UserType": "0" + "UserKey": "i:0h.f|membership|1003200096971f55@live.com", + "UserType": "0", + "Version": "1", + "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30" } }, - "@timestamp": "2020-02-07T16:44:23.000Z", - "file": { - "name": "Screenshot.png", - "directory": "Documents", - "extension": "png" - }, - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.15", + "source": { "ip": "67.43.156.15" }, - "event": { - "ingested": "2022-01-02T03:50:29.194868044Z", - "original": "{\"ClientIP\":\"67.43.156.15\",\"CorrelationId\":\"692b339f-902e-a000-f25f-95def5f17903\",\"CreationTime\":\"2020-02-07T16:44:23\",\"EventSource\":\"SharePoint\",\"Id\":\"5b02fadb-8eac-4aff-af87-08d7abecfca3\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\",\"Operation\":\"FileModified\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":6,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot.png\",\"SourceRelativeUrl\":\"Documents\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", - "code": "SharePointFileOperation", - "provider": "OneDrive", - "kind": "event", - "action": "FileModified", - "id": "5b02fadb-8eac-4aff-af87-08d7abecfca3", - "type": [ - "info", - "change" - ], - "category": [ - "web", - "file" - ], - "outcome": "success" + "tags": [ + "preserve_original_event" + ], + "url": { + "original": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png" }, "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", + "domain": "testsiem.onmicrosoft.com", "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr" }, "user_agent": { + "device": { + "name": "Mac" + }, "name": "Firefox", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "os": { + "full": "Mac OS X 10.14", "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" + "version": "10.14" }, "version": "72.0." } diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-sp-sharing-op-events.json-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-sp-sharing-op-events.json-expected.json index f3890b86f02..3c7769f073e 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-sp-sharing-op-events.json-expected.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-sp-sharing-op-events.json-expected.json @@ -1,890 +1,820 @@ { "expected": [ { - "tags": [ - "preserve_original_event" - ], + "@timestamp": "2020-02-17T16:59:50.000Z", + "client": {}, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "AddedToGroup", + "category": [ + "web" + ], + "code": "SharePointSharingOperation", + "id": "4d1a6a2b-360c-423d-96e5-08d7b3cacd83", + "kind": "event", + "original": "{\"ClientIP\":\"\",\"CorrelationId\":\"4464369f-303c-b000-7cb1-c0cce4f2da18\",\"CreationTime\":\"2020-02-17T16:59:50\",\"EventData\":\"\\u003cGroup\\u003eSite Members\\u003c/Group\\u003e\",\"EventSource\":\"SharePoint\",\"Id\":\"4d1a6a2b-360c-423d-96e5-08d7b3cacd83\",\"ItemType\":\"Web\",\"ObjectId\":\"https://testsiem.sharepoint.com/sites/SIEMTest\",\"Operation\":\"AddedToGroup\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":14,\"Site\":\"9d58b52e-2adb-4976-8c1f-9932c32a8bd2\",\"SiteUrl\":\"https://testsiem.sharepoint.com/sites/SIEMTest\",\"TargetUserOrGroupName\":\"Everyone except external users\",\"TargetUserOrGroupType\":\"SecurityGroup\",\"UserAgent\":\"\",\"UserId\":\"app@sharepoint\",\"UserKey\":\"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint\",\"UserType\":0,\"Version\":1,\"WebId\":\"54cfe39c-0e16-4f8e-bd62-f2ac40248083\",\"Workload\":\"SharePoint\"}", + "outcome": "success", + "provider": "SharePoint", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "o365": { "audit": { - "Site": "9d58b52e-2adb-4976-8c1f-9932c32a8bd2", - "ObjectId": "https://testsiem.sharepoint.com/sites/SIEMTest", - "ItemType": "Web", - "TargetUserOrGroupName": "Everyone except external users", - "UserKey": "i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint", - "SiteUrl": "https://testsiem.sharepoint.com/sites/SIEMTest", + "CorrelationId": "4464369f-303c-b000-7cb1-c0cce4f2da18", + "CreationTime": "2020-02-17T16:59:50", "EventData": "\u003cGroup\u003eSite Members\u003c/Group\u003e", "EventSource": "SharePoint", + "ItemType": "Web", + "ObjectId": "https://testsiem.sharepoint.com/sites/SIEMTest", "RecordType": "14", + "Site": "9d58b52e-2adb-4976-8c1f-9932c32a8bd2", + "SiteUrl": "https://testsiem.sharepoint.com/sites/SIEMTest", + "TargetUserOrGroupName": "Everyone except external users", "TargetUserOrGroupType": "SecurityGroup", - "Version": "1", "UserId": "app@sharepoint", - "WebId": "54cfe39c-0e16-4f8e-bd62-f2ac40248083", - "CreationTime": "2020-02-17T16:59:50", - "CorrelationId": "4464369f-303c-b000-7cb1-c0cce4f2da18", - "UserType": "0" + "UserKey": "i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint", + "UserType": "0", + "Version": "1", + "WebId": "54cfe39c-0e16-4f8e-bd62-f2ac40248083" } }, - "@timestamp": "2020-02-17T16:59:50.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "user": [ "app" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": {}, - "event": { - "ingested": "2022-01-02T03:50:37.371168345Z", - "original": "{\"ClientIP\":\"\",\"CorrelationId\":\"4464369f-303c-b000-7cb1-c0cce4f2da18\",\"CreationTime\":\"2020-02-17T16:59:50\",\"EventData\":\"\\u003cGroup\\u003eSite Members\\u003c/Group\\u003e\",\"EventSource\":\"SharePoint\",\"Id\":\"4d1a6a2b-360c-423d-96e5-08d7b3cacd83\",\"ItemType\":\"Web\",\"ObjectId\":\"https://testsiem.sharepoint.com/sites/SIEMTest\",\"Operation\":\"AddedToGroup\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":14,\"Site\":\"9d58b52e-2adb-4976-8c1f-9932c32a8bd2\",\"SiteUrl\":\"https://testsiem.sharepoint.com/sites/SIEMTest\",\"TargetUserOrGroupName\":\"Everyone except external users\",\"TargetUserOrGroupType\":\"SecurityGroup\",\"UserAgent\":\"\",\"UserId\":\"app@sharepoint\",\"UserKey\":\"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint\",\"UserType\":0,\"Version\":1,\"WebId\":\"54cfe39c-0e16-4f8e-bd62-f2ac40248083\",\"Workload\":\"SharePoint\"}", - "code": "SharePointSharingOperation", - "provider": "SharePoint", - "kind": "event", - "action": "AddedToGroup", - "id": "4d1a6a2b-360c-423d-96e5-08d7b3cacd83", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "app", - "id": "app@sharepoint", + "domain": "sharepoint", "email": "app@sharepoint", - "domain": "sharepoint" + "id": "app@sharepoint", + "name": "app" }, "user_agent": { - "name": "Other", "device": { "name": "Other" }, + "name": "Other", "original": "" } }, { - "tags": [ - "preserve_original_event" - ], + "@timestamp": "2020-02-17T16:59:50.000Z", + "client": {}, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "AddedToGroup", + "category": [ + "web" + ], + "code": "SharePointSharingOperation", + "id": "56696ec0-5a7e-4561-5e88-08d7b3cacd4a", + "kind": "event", + "original": "{\"ClientIP\":\"\",\"CorrelationId\":\"4464369f-303c-b000-7cb1-c0cce4f2da18\",\"CreationTime\":\"2020-02-17T16:59:50\",\"EventData\":\"\\u003cGroup\\u003eSite Owners\\u003c/Group\\u003e\",\"EventSource\":\"SharePoint\",\"Id\":\"56696ec0-5a7e-4561-5e88-08d7b3cacd4a\",\"ItemType\":\"Web\",\"ObjectId\":\"https://testsiem.sharepoint.com/sites/SIEMTest\",\"Operation\":\"AddedToGroup\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":14,\"Site\":\"9d58b52e-2adb-4976-8c1f-9932c32a8bd2\",\"SiteUrl\":\"https://testsiem.sharepoint.com/sites/SIEMTest\",\"TargetUserOrGroupName\":\"SHAREPOINT\\\\system\",\"TargetUserOrGroupType\":\"Member\",\"UserAgent\":\"\",\"UserId\":\"app@sharepoint\",\"UserKey\":\"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint\",\"UserType\":0,\"Version\":1,\"WebId\":\"54cfe39c-0e16-4f8e-bd62-f2ac40248083\",\"Workload\":\"SharePoint\"}", + "outcome": "success", + "provider": "SharePoint", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "o365": { "audit": { - "Site": "9d58b52e-2adb-4976-8c1f-9932c32a8bd2", - "ObjectId": "https://testsiem.sharepoint.com/sites/SIEMTest", - "ItemType": "Web", - "TargetUserOrGroupName": "SHAREPOINT\\system", - "UserKey": "i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint", - "SiteUrl": "https://testsiem.sharepoint.com/sites/SIEMTest", + "CorrelationId": "4464369f-303c-b000-7cb1-c0cce4f2da18", + "CreationTime": "2020-02-17T16:59:50", "EventData": "\u003cGroup\u003eSite Owners\u003c/Group\u003e", "EventSource": "SharePoint", + "ItemType": "Web", + "ObjectId": "https://testsiem.sharepoint.com/sites/SIEMTest", "RecordType": "14", + "Site": "9d58b52e-2adb-4976-8c1f-9932c32a8bd2", + "SiteUrl": "https://testsiem.sharepoint.com/sites/SIEMTest", + "TargetUserOrGroupName": "SHAREPOINT\\system", "TargetUserOrGroupType": "Member", - "Version": "1", "UserId": "app@sharepoint", - "WebId": "54cfe39c-0e16-4f8e-bd62-f2ac40248083", - "CreationTime": "2020-02-17T16:59:50", - "CorrelationId": "4464369f-303c-b000-7cb1-c0cce4f2da18", - "UserType": "0" + "UserKey": "i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint", + "UserType": "0", + "Version": "1", + "WebId": "54cfe39c-0e16-4f8e-bd62-f2ac40248083" } }, - "@timestamp": "2020-02-17T16:59:50.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "user": [ "app" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": {}, - "event": { - "ingested": "2022-01-02T03:50:37.371171398Z", - "original": "{\"ClientIP\":\"\",\"CorrelationId\":\"4464369f-303c-b000-7cb1-c0cce4f2da18\",\"CreationTime\":\"2020-02-17T16:59:50\",\"EventData\":\"\\u003cGroup\\u003eSite Owners\\u003c/Group\\u003e\",\"EventSource\":\"SharePoint\",\"Id\":\"56696ec0-5a7e-4561-5e88-08d7b3cacd4a\",\"ItemType\":\"Web\",\"ObjectId\":\"https://testsiem.sharepoint.com/sites/SIEMTest\",\"Operation\":\"AddedToGroup\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":14,\"Site\":\"9d58b52e-2adb-4976-8c1f-9932c32a8bd2\",\"SiteUrl\":\"https://testsiem.sharepoint.com/sites/SIEMTest\",\"TargetUserOrGroupName\":\"SHAREPOINT\\\\system\",\"TargetUserOrGroupType\":\"Member\",\"UserAgent\":\"\",\"UserId\":\"app@sharepoint\",\"UserKey\":\"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint\",\"UserType\":0,\"Version\":1,\"WebId\":\"54cfe39c-0e16-4f8e-bd62-f2ac40248083\",\"Workload\":\"SharePoint\"}", - "code": "SharePointSharingOperation", - "provider": "SharePoint", - "kind": "event", - "action": "AddedToGroup", - "id": "56696ec0-5a7e-4561-5e88-08d7b3cacd4a", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "app", - "id": "app@sharepoint", + "domain": "sharepoint", "email": "app@sharepoint", - "domain": "sharepoint" + "id": "app@sharepoint", + "name": "app" }, "user_agent": { - "name": "Other", "device": { "name": "Other" }, + "name": "Other", "original": "" } }, { - "tags": [ - "preserve_original_event" - ], + "@timestamp": "2020-02-17T16:59:50.000Z", + "client": {}, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "AddedToGroup", + "category": [ + "web" + ], + "code": "SharePointSharingOperation", + "id": "b8c880ff-e8fe-407c-9ce9-08d7b3cacd07", + "kind": "event", + "original": "{\"ClientIP\":\"\",\"CorrelationId\":\"4464369f-303c-b000-7cb1-c0cce4f2da18\",\"CreationTime\":\"2020-02-17T16:59:50\",\"EventData\":\"\\u003cGroup\\u003eSite Owners\\u003c/Group\\u003e\",\"EventSource\":\"SharePoint\",\"Id\":\"b8c880ff-e8fe-407c-9ce9-08d7b3cacd07\",\"ItemType\":\"Web\",\"ObjectId\":\"https://testsiem.sharepoint.com/sites/SIEMTest\",\"Operation\":\"AddedToGroup\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":14,\"Site\":\"9d58b52e-2adb-4976-8c1f-9932c32a8bd2\",\"SiteUrl\":\"https://testsiem.sharepoint.com/sites/SIEMTest\",\"TargetUserOrGroupName\":\"SIEMTest Owners\",\"TargetUserOrGroupType\":\"SecurityGroup\",\"UserAgent\":\"\",\"UserId\":\"app@sharepoint\",\"UserKey\":\"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint\",\"UserType\":0,\"Version\":1,\"WebId\":\"54cfe39c-0e16-4f8e-bd62-f2ac40248083\",\"Workload\":\"SharePoint\"}", + "outcome": "success", + "provider": "SharePoint", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "o365": { "audit": { - "Site": "9d58b52e-2adb-4976-8c1f-9932c32a8bd2", - "ObjectId": "https://testsiem.sharepoint.com/sites/SIEMTest", - "ItemType": "Web", - "TargetUserOrGroupName": "SIEMTest Owners", - "UserKey": "i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint", - "SiteUrl": "https://testsiem.sharepoint.com/sites/SIEMTest", + "CorrelationId": "4464369f-303c-b000-7cb1-c0cce4f2da18", + "CreationTime": "2020-02-17T16:59:50", "EventData": "\u003cGroup\u003eSite Owners\u003c/Group\u003e", "EventSource": "SharePoint", + "ItemType": "Web", + "ObjectId": "https://testsiem.sharepoint.com/sites/SIEMTest", "RecordType": "14", + "Site": "9d58b52e-2adb-4976-8c1f-9932c32a8bd2", + "SiteUrl": "https://testsiem.sharepoint.com/sites/SIEMTest", + "TargetUserOrGroupName": "SIEMTest Owners", "TargetUserOrGroupType": "SecurityGroup", - "Version": "1", "UserId": "app@sharepoint", - "WebId": "54cfe39c-0e16-4f8e-bd62-f2ac40248083", - "CreationTime": "2020-02-17T16:59:50", - "CorrelationId": "4464369f-303c-b000-7cb1-c0cce4f2da18", - "UserType": "0" + "UserKey": "i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint", + "UserType": "0", + "Version": "1", + "WebId": "54cfe39c-0e16-4f8e-bd62-f2ac40248083" } }, - "@timestamp": "2020-02-17T16:59:50.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "user": [ "app" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": {}, - "event": { - "ingested": "2022-01-02T03:50:37.371172382Z", - "original": "{\"ClientIP\":\"\",\"CorrelationId\":\"4464369f-303c-b000-7cb1-c0cce4f2da18\",\"CreationTime\":\"2020-02-17T16:59:50\",\"EventData\":\"\\u003cGroup\\u003eSite Owners\\u003c/Group\\u003e\",\"EventSource\":\"SharePoint\",\"Id\":\"b8c880ff-e8fe-407c-9ce9-08d7b3cacd07\",\"ItemType\":\"Web\",\"ObjectId\":\"https://testsiem.sharepoint.com/sites/SIEMTest\",\"Operation\":\"AddedToGroup\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":14,\"Site\":\"9d58b52e-2adb-4976-8c1f-9932c32a8bd2\",\"SiteUrl\":\"https://testsiem.sharepoint.com/sites/SIEMTest\",\"TargetUserOrGroupName\":\"SIEMTest Owners\",\"TargetUserOrGroupType\":\"SecurityGroup\",\"UserAgent\":\"\",\"UserId\":\"app@sharepoint\",\"UserKey\":\"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint\",\"UserType\":0,\"Version\":1,\"WebId\":\"54cfe39c-0e16-4f8e-bd62-f2ac40248083\",\"Workload\":\"SharePoint\"}", - "code": "SharePointSharingOperation", - "provider": "SharePoint", - "kind": "event", - "action": "AddedToGroup", - "id": "b8c880ff-e8fe-407c-9ce9-08d7b3cacd07", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "app", - "id": "app@sharepoint", + "domain": "sharepoint", "email": "app@sharepoint", - "domain": "sharepoint" + "id": "app@sharepoint", + "name": "app" }, "user_agent": { - "name": "Other", "device": { "name": "Other" }, + "name": "Other", "original": "" } }, { - "tags": [ - "preserve_original_event" - ], + "@timestamp": "2020-02-17T16:59:50.000Z", + "client": {}, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "AddedToGroup", + "category": [ + "web" + ], + "code": "SharePointSharingOperation", + "id": "483f657f-9141-45fc-b141-08d7b3caccfb", + "kind": "event", + "original": "{\"ClientIP\":\"\",\"CorrelationId\":\"4464369f-303c-b000-7cb1-c0cce4f2da18\",\"CreationTime\":\"2020-02-17T16:59:50\",\"EventData\":\"\\u003cGroup\\u003eSite Members\\u003c/Group\\u003e\",\"EventSource\":\"SharePoint\",\"Id\":\"483f657f-9141-45fc-b141-08d7b3caccfb\",\"ItemType\":\"Web\",\"ObjectId\":\"https://testsiem.sharepoint.com/sites/SIEMTest\",\"Operation\":\"AddedToGroup\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":14,\"Site\":\"9d58b52e-2adb-4976-8c1f-9932c32a8bd2\",\"SiteUrl\":\"https://testsiem.sharepoint.com/sites/SIEMTest\",\"TargetUserOrGroupName\":\"SIEMTest Members\",\"TargetUserOrGroupType\":\"SecurityGroup\",\"UserAgent\":\"\",\"UserId\":\"app@sharepoint\",\"UserKey\":\"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint\",\"UserType\":0,\"Version\":1,\"WebId\":\"54cfe39c-0e16-4f8e-bd62-f2ac40248083\",\"Workload\":\"SharePoint\"}", + "outcome": "success", + "provider": "SharePoint", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "o365": { "audit": { - "Site": "9d58b52e-2adb-4976-8c1f-9932c32a8bd2", - "ObjectId": "https://testsiem.sharepoint.com/sites/SIEMTest", - "ItemType": "Web", - "TargetUserOrGroupName": "SIEMTest Members", - "UserKey": "i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint", - "SiteUrl": "https://testsiem.sharepoint.com/sites/SIEMTest", + "CorrelationId": "4464369f-303c-b000-7cb1-c0cce4f2da18", + "CreationTime": "2020-02-17T16:59:50", "EventData": "\u003cGroup\u003eSite Members\u003c/Group\u003e", "EventSource": "SharePoint", + "ItemType": "Web", + "ObjectId": "https://testsiem.sharepoint.com/sites/SIEMTest", "RecordType": "14", + "Site": "9d58b52e-2adb-4976-8c1f-9932c32a8bd2", + "SiteUrl": "https://testsiem.sharepoint.com/sites/SIEMTest", + "TargetUserOrGroupName": "SIEMTest Members", "TargetUserOrGroupType": "SecurityGroup", - "Version": "1", "UserId": "app@sharepoint", - "WebId": "54cfe39c-0e16-4f8e-bd62-f2ac40248083", - "CreationTime": "2020-02-17T16:59:50", - "CorrelationId": "4464369f-303c-b000-7cb1-c0cce4f2da18", - "UserType": "0" + "UserKey": "i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint", + "UserType": "0", + "Version": "1", + "WebId": "54cfe39c-0e16-4f8e-bd62-f2ac40248083" } }, - "@timestamp": "2020-02-17T16:59:50.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "user": [ "app" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": {}, - "event": { - "ingested": "2022-01-02T03:50:37.371173257Z", - "original": "{\"ClientIP\":\"\",\"CorrelationId\":\"4464369f-303c-b000-7cb1-c0cce4f2da18\",\"CreationTime\":\"2020-02-17T16:59:50\",\"EventData\":\"\\u003cGroup\\u003eSite Members\\u003c/Group\\u003e\",\"EventSource\":\"SharePoint\",\"Id\":\"483f657f-9141-45fc-b141-08d7b3caccfb\",\"ItemType\":\"Web\",\"ObjectId\":\"https://testsiem.sharepoint.com/sites/SIEMTest\",\"Operation\":\"AddedToGroup\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":14,\"Site\":\"9d58b52e-2adb-4976-8c1f-9932c32a8bd2\",\"SiteUrl\":\"https://testsiem.sharepoint.com/sites/SIEMTest\",\"TargetUserOrGroupName\":\"SIEMTest Members\",\"TargetUserOrGroupType\":\"SecurityGroup\",\"UserAgent\":\"\",\"UserId\":\"app@sharepoint\",\"UserKey\":\"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint\",\"UserType\":0,\"Version\":1,\"WebId\":\"54cfe39c-0e16-4f8e-bd62-f2ac40248083\",\"Workload\":\"SharePoint\"}", - "code": "SharePointSharingOperation", - "provider": "SharePoint", - "kind": "event", - "action": "AddedToGroup", - "id": "483f657f-9141-45fc-b141-08d7b3caccfb", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "app", - "id": "app@sharepoint", + "domain": "sharepoint", "email": "app@sharepoint", - "domain": "sharepoint" + "id": "app@sharepoint", + "name": "app" }, "user_agent": { - "name": "Other", "device": { "name": "Other" }, + "name": "Other", "original": "" } }, { - "tags": [ - "preserve_original_event" - ], + "@timestamp": "2020-02-17T16:59:49.000Z", + "client": {}, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "AddedToGroup", + "category": [ + "web" + ], + "code": "SharePointSharingOperation", + "id": "13004a30-d15a-48a5-16ec-08d7b3caccc0", + "kind": "event", + "original": "{\"ClientIP\":\"\",\"CorrelationId\":\"4464369f-303c-b000-7cb1-c0cce4f2da18\",\"CreationTime\":\"2020-02-17T16:59:49\",\"EventData\":\"\\u003cGroup\\u003eSite Owners\\u003c/Group\\u003e\",\"EventSource\":\"SharePoint\",\"Id\":\"13004a30-d15a-48a5-16ec-08d7b3caccc0\",\"ItemType\":\"Web\",\"ObjectId\":\"https://testsiem.sharepoint.com/sites/SIEMTest\",\"Operation\":\"AddedToGroup\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":14,\"Site\":\"9d58b52e-2adb-4976-8c1f-9932c32a8bd2\",\"SiteUrl\":\"https://testsiem.sharepoint.com/sites/SIEMTest\",\"TargetUserOrGroupName\":\"SHAREPOINT\\\\system\",\"TargetUserOrGroupType\":\"Member\",\"UserAgent\":\"\",\"UserId\":\"app@sharepoint\",\"UserKey\":\"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint\",\"UserType\":0,\"Version\":1,\"WebId\":\"54cfe39c-0e16-4f8e-bd62-f2ac40248083\",\"Workload\":\"SharePoint\"}", + "outcome": "success", + "provider": "SharePoint", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "o365": { "audit": { - "Site": "9d58b52e-2adb-4976-8c1f-9932c32a8bd2", - "ObjectId": "https://testsiem.sharepoint.com/sites/SIEMTest", - "ItemType": "Web", - "TargetUserOrGroupName": "SHAREPOINT\\system", - "UserKey": "i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint", - "SiteUrl": "https://testsiem.sharepoint.com/sites/SIEMTest", + "CorrelationId": "4464369f-303c-b000-7cb1-c0cce4f2da18", + "CreationTime": "2020-02-17T16:59:49", "EventData": "\u003cGroup\u003eSite Owners\u003c/Group\u003e", "EventSource": "SharePoint", + "ItemType": "Web", + "ObjectId": "https://testsiem.sharepoint.com/sites/SIEMTest", "RecordType": "14", + "Site": "9d58b52e-2adb-4976-8c1f-9932c32a8bd2", + "SiteUrl": "https://testsiem.sharepoint.com/sites/SIEMTest", + "TargetUserOrGroupName": "SHAREPOINT\\system", "TargetUserOrGroupType": "Member", - "Version": "1", "UserId": "app@sharepoint", - "WebId": "54cfe39c-0e16-4f8e-bd62-f2ac40248083", - "CreationTime": "2020-02-17T16:59:49", - "CorrelationId": "4464369f-303c-b000-7cb1-c0cce4f2da18", - "UserType": "0" + "UserKey": "i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint", + "UserType": "0", + "Version": "1", + "WebId": "54cfe39c-0e16-4f8e-bd62-f2ac40248083" } }, - "@timestamp": "2020-02-17T16:59:49.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { "user": [ "app" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": {}, - "event": { - "ingested": "2022-01-02T03:50:37.371174092Z", - "original": "{\"ClientIP\":\"\",\"CorrelationId\":\"4464369f-303c-b000-7cb1-c0cce4f2da18\",\"CreationTime\":\"2020-02-17T16:59:49\",\"EventData\":\"\\u003cGroup\\u003eSite Owners\\u003c/Group\\u003e\",\"EventSource\":\"SharePoint\",\"Id\":\"13004a30-d15a-48a5-16ec-08d7b3caccc0\",\"ItemType\":\"Web\",\"ObjectId\":\"https://testsiem.sharepoint.com/sites/SIEMTest\",\"Operation\":\"AddedToGroup\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":14,\"Site\":\"9d58b52e-2adb-4976-8c1f-9932c32a8bd2\",\"SiteUrl\":\"https://testsiem.sharepoint.com/sites/SIEMTest\",\"TargetUserOrGroupName\":\"SHAREPOINT\\\\system\",\"TargetUserOrGroupType\":\"Member\",\"UserAgent\":\"\",\"UserId\":\"app@sharepoint\",\"UserKey\":\"i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint\",\"UserType\":0,\"Version\":1,\"WebId\":\"54cfe39c-0e16-4f8e-bd62-f2ac40248083\",\"Workload\":\"SharePoint\"}", - "code": "SharePointSharingOperation", - "provider": "SharePoint", - "kind": "event", - "action": "AddedToGroup", - "id": "13004a30-d15a-48a5-16ec-08d7b3caccc0", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "app", - "id": "app@sharepoint", + "domain": "sharepoint", "email": "app@sharepoint", - "domain": "sharepoint" + "id": "app@sharepoint", + "name": "app" }, "user_agent": { - "name": "Other", "device": { "name": "Other" }, + "name": "Other", "original": "" } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-14T18:25:45.000Z", + "client": { + "address": "67.43.156.13", "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "SharingInheritanceBroken", + "category": [ + "web" + ], + "code": "SharePointSharingOperation", + "id": "dd162cd7-5df5-4fef-078a-08d7b17b4e95", + "kind": "event", + "original": "{\"ClientIP\":\"67.43.156.13\",\"CorrelationId\":\"fe71359f-005f-9000-7cb1-ccf5124703db\",\"CreationTime\":\"2020-02-14T18:25:45\",\"EventData\":\"\\u003ccopyRoleAssignments\\u003eFalse\\u003c/copyRoleAssignments\\u003e\\u003cclearSubScopes\\u003eFalse\\u003c/clearSubScopes\\u003e\",\"EventSource\":\"SharePoint\",\"Id\":\"dd162cd7-5df5-4fef-078a-08d7b17b4e95\",\"ItemType\":\"List\",\"ListId\":\"b108938d-3546-4359-925d-a1b54b4db8c2\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com//personal/asr_testsiem_onmicrosoft_com/Sharing Links\",\"Operation\":\"SharingInheritanceBroken\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":14,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com\",\"SourceRelativeUrl\":\"Sharing Links\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", + "outcome": "success", + "provider": "OneDrive", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", - "ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com//personal/asr_testsiem_onmicrosoft_com/Sharing Links", - "ItemType": "List", - "UserKey": "i:0h.f|membership|1003200096971f55@live.com", - "SiteUrl": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com", + "CorrelationId": "fe71359f-005f-9000-7cb1-ccf5124703db", + "CreationTime": "2020-02-14T18:25:45", "EventData": "\u003ccopyRoleAssignments\u003eFalse\u003c/copyRoleAssignments\u003e\u003cclearSubScopes\u003eFalse\u003c/clearSubScopes\u003e", - "SourceRelativeUrl": "Sharing Links", "EventSource": "SharePoint", + "ItemType": "List", "ListId": "b108938d-3546-4359-925d-a1b54b4db8c2", + "ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com//personal/asr_testsiem_onmicrosoft_com/Sharing Links", "RecordType": "14", - "Version": "1", + "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", + "SiteUrl": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com", + "SourceRelativeUrl": "Sharing Links", "UserId": "asr@testsiem.onmicrosoft.com", - "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", - "CreationTime": "2020-02-14T18:25:45", - "CorrelationId": "fe71359f-005f-9000-7cb1-ccf5124703db", - "UserType": "0" + "UserKey": "i:0h.f|membership|1003200096971f55@live.com", + "UserType": "0", + "Version": "1", + "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30" } }, - "@timestamp": "2020-02-14T18:25:45.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.13" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.13", + "source": { "ip": "67.43.156.13" }, - "event": { - "ingested": "2022-01-02T03:50:37.371174906Z", - "original": "{\"ClientIP\":\"67.43.156.13\",\"CorrelationId\":\"fe71359f-005f-9000-7cb1-ccf5124703db\",\"CreationTime\":\"2020-02-14T18:25:45\",\"EventData\":\"\\u003ccopyRoleAssignments\\u003eFalse\\u003c/copyRoleAssignments\\u003e\\u003cclearSubScopes\\u003eFalse\\u003c/clearSubScopes\\u003e\",\"EventSource\":\"SharePoint\",\"Id\":\"dd162cd7-5df5-4fef-078a-08d7b17b4e95\",\"ItemType\":\"List\",\"ListId\":\"b108938d-3546-4359-925d-a1b54b4db8c2\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com//personal/asr_testsiem_onmicrosoft_com/Sharing Links\",\"Operation\":\"SharingInheritanceBroken\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":14,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com\",\"SourceRelativeUrl\":\"Sharing Links\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", - "code": "SharePointSharingOperation", - "provider": "OneDrive", - "kind": "event", - "action": "SharingInheritanceBroken", - "id": "dd162cd7-5df5-4fef-078a-08d7b17b4e95", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", + "domain": "testsiem.onmicrosoft.com", "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr" }, "user_agent": { + "device": { + "name": "Mac" + }, "name": "Firefox", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0", "os": { + "full": "Mac OS X 10.14", "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" + "version": "10.14" }, "version": "73.0." } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-14T18:25:45.000Z", + "client": { + "address": "67.43.156.13", "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "AnonymousLinkCreated", + "category": [ + "web" + ], + "code": "SharePointSharingOperation", + "id": "1cb54d72-3a76-4a7c-7b3d-08d7b17b4ec9", + "kind": "event", + "original": "{\"ClientIP\":\"67.43.156.13\",\"CorrelationId\":\"fe71359f-005f-9000-7cb1-ccf5124703db\",\"CreationTime\":\"2020-02-14T18:25:45\",\"EventData\":\"\\u003cType\\u003eEdit\\u003c/Type\\u003e\",\"EventSource\":\"SharePoint\",\"Id\":\"1cb54d72-3a76-4a7c-7b3d-08d7b17b4ec9\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\",\"Operation\":\"AnonymousLinkCreated\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":14,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot.png\",\"SourceRelativeUrl\":\"Documents/Screenshot.png\",\"UniqueSharingId\":\"d323b5ea-ceca-4d65-a628-e22ca9296a76\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", + "outcome": "success", + "provider": "OneDrive", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", - "ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png", - "SourceFileName": "Screenshot.png", - "ItemType": "File", - "UserKey": "i:0h.f|membership|1003200096971f55@live.com", - "SiteUrl": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com", - "SourceFileExtension": "png", + "CorrelationId": "fe71359f-005f-9000-7cb1-ccf5124703db", + "CreationTime": "2020-02-14T18:25:45", "EventData": "\u003cType\u003eEdit\u003c/Type\u003e", - "SourceRelativeUrl": "Documents/Screenshot.png", "EventSource": "SharePoint", + "ItemType": "File", "ListId": "2b6ad2bd-0fd7-4556-9c89-a97847085b85", + "ListItemUniqueId": "7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8", + "ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png", "RecordType": "14", - "Version": "1", - "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", + "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", + "SiteUrl": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com", + "SourceFileExtension": "png", + "SourceFileName": "Screenshot.png", + "SourceRelativeUrl": "Documents/Screenshot.png", + "UniqueSharingId": "d323b5ea-ceca-4d65-a628-e22ca9296a76", "UserId": "asr@testsiem.onmicrosoft.com", - "CreationTime": "2020-02-14T18:25:45", - "CorrelationId": "fe71359f-005f-9000-7cb1-ccf5124703db", - "ListItemUniqueId": "7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8", + "UserKey": "i:0h.f|membership|1003200096971f55@live.com", "UserType": "0", - "UniqueSharingId": "d323b5ea-ceca-4d65-a628-e22ca9296a76" + "Version": "1", + "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30" } }, - "@timestamp": "2020-02-14T18:25:45.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.13" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.13", + "source": { "ip": "67.43.156.13" }, - "event": { - "ingested": "2022-01-02T03:50:37.371175715Z", - "original": "{\"ClientIP\":\"67.43.156.13\",\"CorrelationId\":\"fe71359f-005f-9000-7cb1-ccf5124703db\",\"CreationTime\":\"2020-02-14T18:25:45\",\"EventData\":\"\\u003cType\\u003eEdit\\u003c/Type\\u003e\",\"EventSource\":\"SharePoint\",\"Id\":\"1cb54d72-3a76-4a7c-7b3d-08d7b17b4ec9\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\",\"Operation\":\"AnonymousLinkCreated\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":14,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot.png\",\"SourceRelativeUrl\":\"Documents/Screenshot.png\",\"UniqueSharingId\":\"d323b5ea-ceca-4d65-a628-e22ca9296a76\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", - "code": "SharePointSharingOperation", - "provider": "OneDrive", - "kind": "event", - "action": "AnonymousLinkCreated", - "id": "1cb54d72-3a76-4a7c-7b3d-08d7b17b4ec9", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", + "domain": "testsiem.onmicrosoft.com", "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr" }, "user_agent": { + "device": { + "name": "Mac" + }, "name": "Firefox", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0", "os": { + "full": "Mac OS X 10.14", "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" + "version": "10.14" }, "version": "73.0." } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-14T18:25:45.000Z", + "client": { + "address": "67.43.156.13", "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "SharingSet", + "category": [ + "web" + ], + "code": "SharePointSharingOperation", + "id": "a8c23ab8-9447-4824-3208-08d7b17b4e5e", + "kind": "event", + "original": "{\"ClientIP\":\"67.43.156.13\",\"CorrelationId\":\"fe71359f-005f-9000-7cb1-ccf5124703db\",\"CreationTime\":\"2020-02-14T18:25:45\",\"EventData\":\"\\u003cPermissions granted\\u003eContribute\\u003c/Permissions granted\\u003e\",\"EventSource\":\"SharePoint\",\"Id\":\"a8c23ab8-9447-4824-3208-08d7b17b4e5e\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\",\"Operation\":\"SharingSet\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":14,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot.png\",\"SourceRelativeUrl\":\"Documents/Screenshot.png\",\"TargetUserOrGroupName\":\"SharingLinks.7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8.AnonymousEdit.d323b5ea-ceca-4d65-a628-e22ca9296a76\",\"TargetUserOrGroupType\":\"SharePointGroup\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", + "outcome": "success", + "provider": "OneDrive", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { - "audit": { - "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", - "ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png", - "SourceFileName": "Screenshot.png", - "ItemType": "File", - "TargetUserOrGroupName": "SharingLinks.7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8.AnonymousEdit.d323b5ea-ceca-4d65-a628-e22ca9296a76", - "UserKey": "i:0h.f|membership|1003200096971f55@live.com", - "SiteUrl": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com", - "SourceFileExtension": "png", + "audit": { + "CorrelationId": "fe71359f-005f-9000-7cb1-ccf5124703db", + "CreationTime": "2020-02-14T18:25:45", "EventData": "\u003cPermissions granted\u003eContribute\u003c/Permissions granted\u003e", - "SourceRelativeUrl": "Documents/Screenshot.png", "EventSource": "SharePoint", + "ItemType": "File", "ListId": "2b6ad2bd-0fd7-4556-9c89-a97847085b85", + "ListItemUniqueId": "7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8", + "ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png", "RecordType": "14", - "Version": "1", + "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", + "SiteUrl": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com", + "SourceFileExtension": "png", + "SourceFileName": "Screenshot.png", + "SourceRelativeUrl": "Documents/Screenshot.png", + "TargetUserOrGroupName": "SharingLinks.7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8.AnonymousEdit.d323b5ea-ceca-4d65-a628-e22ca9296a76", "TargetUserOrGroupType": "SharePointGroup", - "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", "UserId": "asr@testsiem.onmicrosoft.com", - "CreationTime": "2020-02-14T18:25:45", - "CorrelationId": "fe71359f-005f-9000-7cb1-ccf5124703db", - "ListItemUniqueId": "7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8", - "UserType": "0" + "UserKey": "i:0h.f|membership|1003200096971f55@live.com", + "UserType": "0", + "Version": "1", + "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30" } }, - "@timestamp": "2020-02-14T18:25:45.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.13" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.13", + "source": { "ip": "67.43.156.13" }, - "event": { - "ingested": "2022-01-02T03:50:37.371176513Z", - "original": "{\"ClientIP\":\"67.43.156.13\",\"CorrelationId\":\"fe71359f-005f-9000-7cb1-ccf5124703db\",\"CreationTime\":\"2020-02-14T18:25:45\",\"EventData\":\"\\u003cPermissions granted\\u003eContribute\\u003c/Permissions granted\\u003e\",\"EventSource\":\"SharePoint\",\"Id\":\"a8c23ab8-9447-4824-3208-08d7b17b4e5e\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\",\"Operation\":\"SharingSet\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":14,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot.png\",\"SourceRelativeUrl\":\"Documents/Screenshot.png\",\"TargetUserOrGroupName\":\"SharingLinks.7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8.AnonymousEdit.d323b5ea-ceca-4d65-a628-e22ca9296a76\",\"TargetUserOrGroupType\":\"SharePointGroup\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", - "code": "SharePointSharingOperation", - "provider": "OneDrive", - "kind": "event", - "action": "SharingSet", - "id": "a8c23ab8-9447-4824-3208-08d7b17b4e5e", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", + "domain": "testsiem.onmicrosoft.com", "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr" }, "user_agent": { + "device": { + "name": "Mac" + }, "name": "Firefox", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0", "os": { + "full": "Mac OS X 10.14", "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" + "version": "10.14" }, "version": "73.0." } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-14T18:25:44.000Z", + "client": { + "address": "67.43.156.13", "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "SharingSet", + "category": [ + "web" + ], + "code": "SharePointSharingOperation", + "id": "88a041e3-2f3a-483c-cf76-08d7b17b4e5b", + "kind": "event", + "original": "{\"ClientIP\":\"67.43.156.13\",\"CorrelationId\":\"fe71359f-005f-9000-7cb1-ccf5124703db\",\"CreationTime\":\"2020-02-14T18:25:44\",\"EventData\":\"\\u003cPermissions granted\\u003eLimited Access\\u003c/Permissions granted\\u003e\",\"EventSource\":\"SharePoint\",\"Id\":\"88a041e3-2f3a-483c-cf76-08d7b17b4e5b\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\",\"Operation\":\"SharingSet\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":14,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot.png\",\"SourceRelativeUrl\":\"Documents/Screenshot.png\",\"TargetUserOrGroupName\":\"Limited Access System Group\",\"TargetUserOrGroupType\":\"SharePointGroup\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", + "outcome": "success", + "provider": "OneDrive", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", - "ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png", - "SourceFileName": "Screenshot.png", - "ItemType": "File", - "TargetUserOrGroupName": "Limited Access System Group", - "UserKey": "i:0h.f|membership|1003200096971f55@live.com", - "SiteUrl": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com", - "SourceFileExtension": "png", + "CorrelationId": "fe71359f-005f-9000-7cb1-ccf5124703db", + "CreationTime": "2020-02-14T18:25:44", "EventData": "\u003cPermissions granted\u003eLimited Access\u003c/Permissions granted\u003e", - "SourceRelativeUrl": "Documents/Screenshot.png", "EventSource": "SharePoint", + "ItemType": "File", "ListId": "2b6ad2bd-0fd7-4556-9c89-a97847085b85", + "ListItemUniqueId": "7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8", + "ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png", "RecordType": "14", - "Version": "1", + "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", + "SiteUrl": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com", + "SourceFileExtension": "png", + "SourceFileName": "Screenshot.png", + "SourceRelativeUrl": "Documents/Screenshot.png", + "TargetUserOrGroupName": "Limited Access System Group", "TargetUserOrGroupType": "SharePointGroup", - "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", "UserId": "asr@testsiem.onmicrosoft.com", - "CreationTime": "2020-02-14T18:25:44", - "CorrelationId": "fe71359f-005f-9000-7cb1-ccf5124703db", - "ListItemUniqueId": "7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8", - "UserType": "0" + "UserKey": "i:0h.f|membership|1003200096971f55@live.com", + "UserType": "0", + "Version": "1", + "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30" } }, - "@timestamp": "2020-02-14T18:25:44.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.13" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.13", + "source": { "ip": "67.43.156.13" }, - "event": { - "ingested": "2022-01-02T03:50:37.371177333Z", - "original": "{\"ClientIP\":\"67.43.156.13\",\"CorrelationId\":\"fe71359f-005f-9000-7cb1-ccf5124703db\",\"CreationTime\":\"2020-02-14T18:25:44\",\"EventData\":\"\\u003cPermissions granted\\u003eLimited Access\\u003c/Permissions granted\\u003e\",\"EventSource\":\"SharePoint\",\"Id\":\"88a041e3-2f3a-483c-cf76-08d7b17b4e5b\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\",\"Operation\":\"SharingSet\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":14,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot.png\",\"SourceRelativeUrl\":\"Documents/Screenshot.png\",\"TargetUserOrGroupName\":\"Limited Access System Group\",\"TargetUserOrGroupType\":\"SharePointGroup\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", - "code": "SharePointSharingOperation", - "provider": "OneDrive", - "kind": "event", - "action": "SharingSet", - "id": "88a041e3-2f3a-483c-cf76-08d7b17b4e5b", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", + "domain": "testsiem.onmicrosoft.com", "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr" }, "user_agent": { + "device": { + "name": "Mac" + }, "name": "Firefox", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0", "os": { + "full": "Mac OS X 10.14", "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" + "version": "10.14" }, "version": "73.0." } }, { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, + "@timestamp": "2020-02-14T18:25:44.000Z", + "client": { + "address": "67.43.156.13", "ip": "67.43.156.13" }, - "tags": [ - "preserve_original_event" - ], + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "SharingSet", + "category": [ + "web" + ], + "code": "SharePointSharingOperation", + "id": "98633e47-3540-4e8a-bcfc-08d7b17b4e48", + "kind": "event", + "original": "{\"ClientIP\":\"67.43.156.13\",\"CorrelationId\":\"fe71359f-005f-9000-7cb1-ccf5124703db\",\"CreationTime\":\"2020-02-14T18:25:44\",\"EventData\":\"\\u003cPermissions granted\\u003eSystem.LimitedEdit\\u003c/Permissions granted\\u003e\",\"EventSource\":\"SharePoint\",\"Id\":\"98633e47-3540-4e8a-bcfc-08d7b17b4e48\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\",\"Operation\":\"SharingSet\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":14,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot.png\",\"SourceRelativeUrl\":\"Documents/Screenshot.png\",\"TargetUserOrGroupName\":\"4da1e7f54501bb99b6e0ab2ff8749842152ac02ff8c0c8017b0e40e6b67fecdd\",\"TargetUserOrGroupType\":\"SecurityGroup\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", + "outcome": "success", + "provider": "OneDrive", + "type": [ + "info" + ] + }, + "host": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" + }, "network": { "type": "ipv4" }, "o365": { "audit": { - "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", - "ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png", - "SourceFileName": "Screenshot.png", - "ItemType": "File", - "TargetUserOrGroupName": "4da1e7f54501bb99b6e0ab2ff8749842152ac02ff8c0c8017b0e40e6b67fecdd", - "UserKey": "i:0h.f|membership|1003200096971f55@live.com", - "SiteUrl": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com", - "SourceFileExtension": "png", + "CorrelationId": "fe71359f-005f-9000-7cb1-ccf5124703db", + "CreationTime": "2020-02-14T18:25:44", "EventData": "\u003cPermissions granted\u003eSystem.LimitedEdit\u003c/Permissions granted\u003e", - "SourceRelativeUrl": "Documents/Screenshot.png", "EventSource": "SharePoint", + "ItemType": "File", "ListId": "2b6ad2bd-0fd7-4556-9c89-a97847085b85", + "ListItemUniqueId": "7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8", + "ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png", "RecordType": "14", - "Version": "1", + "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", + "SiteUrl": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com", + "SourceFileExtension": "png", + "SourceFileName": "Screenshot.png", + "SourceRelativeUrl": "Documents/Screenshot.png", + "TargetUserOrGroupName": "4da1e7f54501bb99b6e0ab2ff8749842152ac02ff8c0c8017b0e40e6b67fecdd", "TargetUserOrGroupType": "SecurityGroup", - "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", "UserId": "asr@testsiem.onmicrosoft.com", - "CreationTime": "2020-02-14T18:25:44", - "CorrelationId": "fe71359f-005f-9000-7cb1-ccf5124703db", - "ListItemUniqueId": "7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8", - "UserType": "0" + "UserKey": "i:0h.f|membership|1003200096971f55@live.com", + "UserType": "0", + "Version": "1", + "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30" } }, - "@timestamp": "2020-02-14T18:25:44.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", + "name": "mytenant.onmicrosoft.com" }, "related": { - "user": [ - "asr" - ], "ip": [ "67.43.156.13" + ], + "user": [ + "asr" ] }, - "organization": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "host": { - "name": "mytenant.onmicrosoft.com", - "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd" - }, - "client": { - "address": "67.43.156.13", + "source": { "ip": "67.43.156.13" }, - "event": { - "ingested": "2022-01-02T03:50:37.371178128Z", - "original": "{\"ClientIP\":\"67.43.156.13\",\"CorrelationId\":\"fe71359f-005f-9000-7cb1-ccf5124703db\",\"CreationTime\":\"2020-02-14T18:25:44\",\"EventData\":\"\\u003cPermissions granted\\u003eSystem.LimitedEdit\\u003c/Permissions granted\\u003e\",\"EventSource\":\"SharePoint\",\"Id\":\"98633e47-3540-4e8a-bcfc-08d7b17b4e48\",\"ItemType\":\"File\",\"ListId\":\"2b6ad2bd-0fd7-4556-9c89-a97847085b85\",\"ListItemUniqueId\":\"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8\",\"ObjectId\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png\",\"Operation\":\"SharingSet\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"RecordType\":14,\"Site\":\"d5180cfc-3479-44d6-b410-8c985ac894e3\",\"SiteUrl\":\"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com\",\"SourceFileExtension\":\"png\",\"SourceFileName\":\"Screenshot.png\",\"SourceRelativeUrl\":\"Documents/Screenshot.png\",\"TargetUserOrGroupName\":\"4da1e7f54501bb99b6e0ab2ff8749842152ac02ff8c0c8017b0e40e6b67fecdd\",\"TargetUserOrGroupType\":\"SecurityGroup\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0\",\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"UserKey\":\"i:0h.f|membership|1003200096971f55@live.com\",\"UserType\":0,\"Version\":1,\"WebId\":\"8c5c94bb-8396-470c-87d7-8999f440cd30\",\"Workload\":\"OneDrive\"}", - "code": "SharePointSharingOperation", - "provider": "OneDrive", - "kind": "event", - "action": "SharingSet", - "id": "98633e47-3540-4e8a-bcfc-08d7b17b4e48", - "type": [ - "info" - ], - "category": [ - "web" - ], - "outcome": "success" - }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem.onmicrosoft.com", + "domain": "testsiem.onmicrosoft.com", "email": "asr@testsiem.onmicrosoft.com", - "domain": "testsiem.onmicrosoft.com" + "id": "asr@testsiem.onmicrosoft.com", + "name": "asr" }, "user_agent": { + "device": { + "name": "Mac" + }, "name": "Firefox", "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0", "os": { + "full": "Mac OS X 10.14", "name": "Mac OS X", - "version": "10.14", - "full": "Mac OS X 10.14" - }, - "device": { - "name": "Mac" + "version": "10.14" }, "version": "73.0." } diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-yammer-events.json-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-yammer-events.json-expected.json index af103fa7fdf..ac999b93b96 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-yammer-events.json-expected.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-yammer-events.json-expected.json @@ -1,171 +1,157 @@ { "expected": [ { - "source": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 - }, - "port": 12345, - "ip": "67.43.156.13" + "@timestamp": "2020-02-28T09:42:45.000Z", + "client": { + "address": "67.43.156.13", + "ip": "67.43.156.13", + "port": 12345 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "GroupCreation", + "category": [ + "web", + "iam" + ], + "code": "Yammer", + "id": "2af7bbf1-d5d8-5cb0-8aca-f4ad8a087594", + "kind": "event", + "original": "{\"ActorUserId\":\"alice@testsiem2.onmicrosoft.com\",\"ActorYammerUserId\":36787265537,\"ClientIP\":\"67.43.156.13:12345\",\"CreationTime\":\"2020-02-28T09:42:45\",\"GroupName\":\"Sales\",\"Id\":\"2af7bbf1-d5d8-5cb0-8aca-f4ad8a087594\",\"ObjectId\":\"Sales\",\"Operation\":\"GroupCreation\",\"OrganizationId\":\"0e1dddce-163e-4b0b-9e33-87ba56ac4655\",\"RecordType\":22,\"ResultStatus\":\"TRUE\",\"UserId\":\"alice@testsiem2.onmicrosoft.com\",\"UserKey\":\"100320009d6edf94\",\"UserType\":0,\"Version\":1,\"Workload\":\"Yammer\",\"YammerNetworkId\":5846122497}", + "outcome": "success", + "provider": "Yammer", + "type": [ + "info", + "creation", + "group" + ] + }, + "group": { + "name": "Sales" + }, + "host": { + "id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655", + "name": "testsiem2.onmicrosoft.com" }, - "tags": [ - "preserve_original_event" - ], "network": { "type": "ipv4" }, "o365": { "audit": { - "RecordType": "22", + "ActorYammerUserId": "36787265537", + "CreationTime": "2020-02-28T09:42:45", "ObjectId": "Sales", + "RecordType": "22", "ResultStatus": "TRUE", - "Version": "1", "UserId": "alice@testsiem2.onmicrosoft.com", "UserKey": "100320009d6edf94", - "YammerNetworkId": "5846122497", - "CreationTime": "2020-02-28T09:42:45", - "ActorYammerUserId": "36787265537", - "UserType": "0" + "UserType": "0", + "Version": "1", + "YammerNetworkId": "5846122497" } }, - "@timestamp": "2020-02-28T09:42:45.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655" }, "related": { - "user": [ - "alice" - ], "ip": [ "67.43.156.13" + ], + "user": [ + "alice" ] }, - "organization": { - "id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655" - }, - "host": { - "name": "testsiem2.onmicrosoft.com", - "id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655" + "source": { + "ip": "67.43.156.13", + "port": 12345 }, + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "testsiem2.onmicrosoft.com", + "email": "alice@testsiem2.onmicrosoft.com", + "id": "alice@testsiem2.onmicrosoft.com", + "name": "alice" + } + }, + { + "@timestamp": "2020-02-28T09:39:20.000Z", "client": { - "port": 12345, - "address": "67.43.156.13", - "ip": "67.43.156.13" + "address": "fdfd::555", + "ip": "fdfd::555", + "port": 12346 + }, + "ecs": { + "version": "8.0.0" }, "event": { - "ingested": "2022-01-02T03:50:42.775852605Z", - "original": "{\"ActorUserId\":\"alice@testsiem2.onmicrosoft.com\",\"ActorYammerUserId\":36787265537,\"ClientIP\":\"67.43.156.13:12345\",\"CreationTime\":\"2020-02-28T09:42:45\",\"GroupName\":\"Sales\",\"Id\":\"2af7bbf1-d5d8-5cb0-8aca-f4ad8a087594\",\"ObjectId\":\"Sales\",\"Operation\":\"GroupCreation\",\"OrganizationId\":\"0e1dddce-163e-4b0b-9e33-87ba56ac4655\",\"RecordType\":22,\"ResultStatus\":\"TRUE\",\"UserId\":\"alice@testsiem2.onmicrosoft.com\",\"UserKey\":\"100320009d6edf94\",\"UserType\":0,\"Version\":1,\"Workload\":\"Yammer\",\"YammerNetworkId\":5846122497}", + "action": "GroupCreation", + "category": [ + "web", + "iam" + ], "code": "Yammer", - "provider": "Yammer", + "id": "3f3e7f1c-84c1-55fc-9bb2-c8b8563eae06", "kind": "event", - "action": "GroupCreation", - "id": "2af7bbf1-d5d8-5cb0-8aca-f4ad8a087594", + "original": "{\"ActorUserId\":\"asr@testsiem2.onmicrosoft.com\",\"ActorYammerUserId\":36085768193,\"ClientIP\":\"[fdfd::555]:12346\",\"CreationTime\":\"2020-02-28T09:39:20\",\"GroupName\":\"Company group\",\"Id\":\"3f3e7f1c-84c1-55fc-9bb2-c8b8563eae06\",\"ObjectId\":\"Company group\",\"Operation\":\"GroupCreation\",\"OrganizationId\":\"0e1dddce-163e-4b0b-9e33-87ba56ac4655\",\"RecordType\":22,\"ResultStatus\":\"TRUE\",\"UserId\":\"asr@testsiem2.onmicrosoft.com\",\"UserKey\":\"100320009d292e16\",\"UserType\":0,\"Version\":1,\"Workload\":\"Yammer\",\"YammerNetworkId\":5846122497}", + "outcome": "success", + "provider": "Yammer", "type": [ "info", "creation", "group" - ], - "category": [ - "web", - "iam" - ], - "outcome": "success" - }, - "user": { - "name": "alice", - "id": "alice@testsiem2.onmicrosoft.com", - "email": "alice@testsiem2.onmicrosoft.com", - "domain": "testsiem2.onmicrosoft.com" + ] }, "group": { - "name": "Sales" - } - }, - { - "source": { - "port": 12346, - "ip": "fdfd::555" + "name": "Company group" + }, + "host": { + "id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655", + "name": "testsiem2.onmicrosoft.com" }, - "tags": [ - "preserve_original_event" - ], "network": { "type": "ipv6" }, "o365": { "audit": { - "RecordType": "22", + "ActorYammerUserId": "36085768193", + "CreationTime": "2020-02-28T09:39:20", "ObjectId": "Company group", + "RecordType": "22", "ResultStatus": "TRUE", - "Version": "1", "UserId": "asr@testsiem2.onmicrosoft.com", "UserKey": "100320009d292e16", - "YammerNetworkId": "5846122497", - "CreationTime": "2020-02-28T09:39:20", - "ActorYammerUserId": "36085768193", - "UserType": "0" + "UserType": "0", + "Version": "1", + "YammerNetworkId": "5846122497" } }, - "@timestamp": "2020-02-28T09:39:20.000Z", - "ecs": { - "version": "8.0.0" + "organization": { + "id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655" }, "related": { - "user": [ - "asr" - ], "ip": [ "fdfd::555" + ], + "user": [ + "asr" ] }, - "organization": { - "id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655" - }, - "host": { - "name": "testsiem2.onmicrosoft.com", - "id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655" - }, - "client": { - "port": 12346, - "address": "fdfd::555", - "ip": "fdfd::555" - }, - "event": { - "ingested": "2022-01-02T03:50:42.775855479Z", - "original": "{\"ActorUserId\":\"asr@testsiem2.onmicrosoft.com\",\"ActorYammerUserId\":36085768193,\"ClientIP\":\"[fdfd::555]:12346\",\"CreationTime\":\"2020-02-28T09:39:20\",\"GroupName\":\"Company group\",\"Id\":\"3f3e7f1c-84c1-55fc-9bb2-c8b8563eae06\",\"ObjectId\":\"Company group\",\"Operation\":\"GroupCreation\",\"OrganizationId\":\"0e1dddce-163e-4b0b-9e33-87ba56ac4655\",\"RecordType\":22,\"ResultStatus\":\"TRUE\",\"UserId\":\"asr@testsiem2.onmicrosoft.com\",\"UserKey\":\"100320009d292e16\",\"UserType\":0,\"Version\":1,\"Workload\":\"Yammer\",\"YammerNetworkId\":5846122497}", - "code": "Yammer", - "provider": "Yammer", - "kind": "event", - "action": "GroupCreation", - "id": "3f3e7f1c-84c1-55fc-9bb2-c8b8563eae06", - "type": [ - "info", - "creation", - "group" - ], - "category": [ - "web", - "iam" - ], - "outcome": "success" + "source": { + "ip": "fdfd::555", + "port": 12346 }, + "tags": [ + "preserve_original_event" + ], "user": { - "name": "asr", - "id": "asr@testsiem2.onmicrosoft.com", + "domain": "testsiem2.onmicrosoft.com", "email": "asr@testsiem2.onmicrosoft.com", - "domain": "testsiem2.onmicrosoft.com" - }, - "group": { - "name": "Company group" + "id": "asr@testsiem2.onmicrosoft.com", + "name": "asr" } } ] diff --git a/packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml index 5d9dafb1349..ecae3f54eff 100644 --- a/packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ b/packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml @@ -3,9 +3,6 @@ description: Pipeline for Office 365 Audit logs processors: - set: - field: event.ingested - value: '{{_ingest.timestamp}}' - - set: field: ecs.version value: '8.0.0' - set: From 6372d8c82d81ce0498f16577d52bbb1dedc015a8 Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Wed, 9 Feb 2022 22:38:34 +0100 Subject: [PATCH 2/7] Support additional client/server addresses format This updates the O365 integration pipeline to support a new format that has been observed in the OriginatingServer field from O365. It also refactors the logic around address field population and prevents failures when invalid IPs are reported. Closes #2660 Relates #2519 --- .../_dev/test/pipeline/test-bad-ips.json | 77 ++++++ .../pipeline/test-bad-ips.json-expected.json | 242 ++++++++++++++++++ .../elasticsearch/ingest_pipeline/default.yml | 41 ++- 3 files changed, 339 insertions(+), 21 deletions(-) create mode 100644 packages/o365/data_stream/audit/_dev/test/pipeline/test-bad-ips.json create mode 100644 packages/o365/data_stream/audit/_dev/test/pipeline/test-bad-ips.json-expected.json diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-bad-ips.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-bad-ips.json new file mode 100644 index 00000000000..782439a6512 --- /dev/null +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-bad-ips.json @@ -0,0 +1,77 @@ +{ + "events": [ + { + "o365audit": { + "ActorUserId": "alice@testsiem2.onmicrosoft.com", + "ActorYammerUserId": 36787265537, + "ClientIP": "67.43.156.13:12345", + "ClientIPAddress": "NOTANIPV4 (10.9000.0.1)", + "CreationTime": "2020-02-28T09:42:45", + "GroupName": "Sales", + "Id": "2af7bbf1-d5d8-5cb0-8aca-f4ad8a087594", + "ObjectId": "Sales", + "Operation": "GroupCreation", + "OrganizationId": "0e1dddce-163e-4b0b-9e33-87ba56ac4655", + "RecordType": 22, + "ResultStatus": "TRUE", + "UserId": "alice@testsiem2.onmicrosoft.com", + "UserKey": "100320009d6edf94", + "UserType": 0, + "Version": 1, + "Workload": "Yammer", + "YammerNetworkId": 5846122497 + } + }, + { + "o365audit": { + "ActorUserId": "alice@testsiem2.onmicrosoft.com", + "ActorYammerUserId": 36787265537, + "ClientIP": "67.43.156.13:12345", + "ClientIPAddress": "[CORRECTIPV4 (10.90.0.1)]", + "CreationTime": "2020-02-28T09:42:45", + "GroupName": "Sales", + "Id": "2af7bbf1-d5d8-5cb0-8aca-f4ad8a087594", + "ObjectId": "Sales", + "Operation": "GroupCreation", + "OrganizationId": "0e1dddce-163e-4b0b-9e33-87ba56ac4655", + "RecordType": 22, + "ResultStatus": "TRUE", + "UserId": "alice@testsiem2.onmicrosoft.com", + "UserKey": "100320009d6edf94", + "UserType": 0, + "Version": 1, + "Workload": "Yammer", + "YammerNetworkId": 5846122497 + } + }, + { + "o365audit": { + "ActorUserId": "alice@testsiem2.onmicrosoft.com", + "ActorYammerUserId": 36787265537, + "ClientIP": "67.43.156.13:12345", + "ClientIPAddress": "[INCORRECTIPV4 (10.900.0.1)]", + "CreationTime": "2020-02-28T09:42:45", + "GroupName": "Sales", + "Id": "2af7bbf1-d5d8-5cb0-8aca-f4ad8a087594", + "ObjectId": "Sales", + "Operation": "GroupCreation", + "OrganizationId": "0e1dddce-163e-4b0b-9e33-87ba56ac4655", + "RecordType": 22, + "ResultStatus": "TRUE", + "UserId": "alice@testsiem2.onmicrosoft.com", + "UserKey": "100320009d6edf94", + "UserType": 0, + "Version": 1, + "Workload": "Yammer", + "YammerNetworkId": 5846122497 + } + }, + { + "o365audit": { + "CreationTime": "2020-02-28T09:42:45", + "RecordType": 1, + "OriginatingServer": "[SOMETHING (10.555.1.2)]" + } + } + ] +} diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-bad-ips.json-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-bad-ips.json-expected.json new file mode 100644 index 00000000000..26d2dbd9cb2 --- /dev/null +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-bad-ips.json-expected.json @@ -0,0 +1,242 @@ +{ + "expected": [ + { + "@timestamp": "2020-02-28T09:42:45.000Z", + "client": { + "address": "10.9000.0.1", + "domain": "NOTANIPV4" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "GroupCreation", + "category": [ + "web", + "iam" + ], + "code": "Yammer", + "id": "2af7bbf1-d5d8-5cb0-8aca-f4ad8a087594", + "kind": "event", + "outcome": "success", + "provider": "Yammer", + "type": [ + "info", + "creation", + "group" + ] + }, + "group": { + "name": "Sales" + }, + "host": { + "id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655", + "name": "testsiem2.onmicrosoft.com" + }, + "o365": { + "audit": { + "ActorYammerUserId": "36787265537", + "ClientIP": "67.43.156.13:12345", + "CreationTime": "2020-02-28T09:42:45", + "ObjectId": "Sales", + "RecordType": "22", + "ResultStatus": "TRUE", + "UserId": "alice@testsiem2.onmicrosoft.com", + "UserKey": "100320009d6edf94", + "UserType": "0", + "Version": "1", + "YammerNetworkId": "5846122497" + } + }, + "organization": { + "id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655" + }, + "related": { + "user": [ + "alice" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "testsiem2.onmicrosoft.com", + "email": "alice@testsiem2.onmicrosoft.com", + "id": "alice@testsiem2.onmicrosoft.com", + "name": "alice" + } + }, + { + "@timestamp": "2020-02-28T09:42:45.000Z", + "client": { + "address": "10.90.0.1", + "domain": "CORRECTIPV4", + "ip": "10.90.0.1" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "GroupCreation", + "category": [ + "web", + "iam" + ], + "code": "Yammer", + "id": "2af7bbf1-d5d8-5cb0-8aca-f4ad8a087594", + "kind": "event", + "outcome": "success", + "provider": "Yammer", + "type": [ + "info", + "creation", + "group" + ] + }, + "group": { + "name": "Sales" + }, + "host": { + "id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655", + "name": "testsiem2.onmicrosoft.com" + }, + "network": { + "type": "ipv4" + }, + "o365": { + "audit": { + "ActorYammerUserId": "36787265537", + "ClientIP": "67.43.156.13:12345", + "CreationTime": "2020-02-28T09:42:45", + "ObjectId": "Sales", + "RecordType": "22", + "ResultStatus": "TRUE", + "UserId": "alice@testsiem2.onmicrosoft.com", + "UserKey": "100320009d6edf94", + "UserType": "0", + "Version": "1", + "YammerNetworkId": "5846122497" + } + }, + "organization": { + "id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655" + }, + "related": { + "ip": [ + "10.90.0.1" + ], + "user": [ + "alice" + ] + }, + "source": { + "ip": "10.90.0.1" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "testsiem2.onmicrosoft.com", + "email": "alice@testsiem2.onmicrosoft.com", + "id": "alice@testsiem2.onmicrosoft.com", + "name": "alice" + } + }, + { + "@timestamp": "2020-02-28T09:42:45.000Z", + "client": { + "address": "10.900.0.1", + "domain": "INCORRECTIPV4" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "GroupCreation", + "category": [ + "web", + "iam" + ], + "code": "Yammer", + "id": "2af7bbf1-d5d8-5cb0-8aca-f4ad8a087594", + "kind": "event", + "outcome": "success", + "provider": "Yammer", + "type": [ + "info", + "creation", + "group" + ] + }, + "group": { + "name": "Sales" + }, + "host": { + "id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655", + "name": "testsiem2.onmicrosoft.com" + }, + "o365": { + "audit": { + "ActorYammerUserId": "36787265537", + "ClientIP": "67.43.156.13:12345", + "CreationTime": "2020-02-28T09:42:45", + "ObjectId": "Sales", + "RecordType": "22", + "ResultStatus": "TRUE", + "UserId": "alice@testsiem2.onmicrosoft.com", + "UserKey": "100320009d6edf94", + "UserType": "0", + "Version": "1", + "YammerNetworkId": "5846122497" + } + }, + "organization": { + "id": "0e1dddce-163e-4b0b-9e33-87ba56ac4655" + }, + "related": { + "user": [ + "alice" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "testsiem2.onmicrosoft.com", + "email": "alice@testsiem2.onmicrosoft.com", + "id": "alice@testsiem2.onmicrosoft.com", + "name": "alice" + } + }, + { + "@timestamp": "2020-02-28T09:42:45.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "web" + ], + "code": "ExchangeAdmin", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "o365": { + "audit": { + "CreationTime": "2020-02-28T09:42:45", + "RecordType": "1" + } + }, + "server": { + "address": "10.555.1.2", + "domain": "SOMETHING" + }, + "tags": [ + "preserve_original_event" + ] + } + ] +} \ No newline at end of file diff --git a/packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml index ecae3f54eff..122b26b4e8f 100644 --- a/packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ b/packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml @@ -791,17 +791,20 @@ processors: patterns: - '%{IPANDPORTBRACKETS}' - '%{IPANDPORT}' - - '%{IP:client._address}' - - '(%{NOTSPACE:client.domain}|%{HOSTNAME:client.domain})' + - '^%{IP:client.address}$' + - '^%{NOTSPACE:client.domain}$' - '%{HOSTNAMEANDPORTBRACKETS}' - '%{HOSTNAMEANDPORT}' - - '%{HOSTNAMEANDIP}' + - '^\[%{HOSTNAMEANDIP}\]$' + - '^%{HOSTNAMEANDIP}$' + - '%{GREEDYDATA:client.address}' pattern_definitions: - IPANDPORTBRACKETS: "^\\[%{IP:client._address}\\]:%{POSINT:client._port}" - IPANDPORT: "^%{IP:client._address}:%{POSINT:client._port}" - HOSTNAMEANDPORTBRACKETS: "^\\[(%{NOTSPACE:client.domain}|%{HOSTNAME:client.domain})\\]:%{POSINT:client._port}" - HOSTNAMEANDPORT: "^(%{NOTSPACE:client.domain}|%{HOSTNAME:client.domain}):%{POSINT:client._port}" - HOSTNAMEANDIP: "^(%{NOTSPACE:client.domain}|%{HOSTNAME:client.domain}) \\(%{IP:client._address}\\)" + IPANDPORTBRACKETS: "^\\[%{IP:client.address}\\]:%{POSINT:client._port}" + IPANDPORT: "^%{IP:client.address}:%{POSINT:client._port}" + HOSTNAMEANDPORTBRACKETS: '^\[%{NOTSPACE:client.domain}\]:%{POSINT:client._port}' + HOSTNAMEANDPORT: "^%{NOTSPACE:client.domain}:%{POSINT:client._port}" + NOTCLOSINGPARENS: '[^)]*' + HOSTNAMEANDIP: '%{NOTSPACE:client.domain} \(%{NOTCLOSINGPARENS:client.address}\)' if: 'ctx.client?._temp != null && !ctx.client?._temp.isEmpty()' - gsub: field: server._temp @@ -810,33 +813,29 @@ processors: ignore_missing: true - grok: field: server._temp - patterns: + patterns: + - '^\[%{HOSTNAMEANDIP}\]$' - '%{HOSTNAMEANDIP}' + - '%{GREEDYDATA:server.address}' pattern_definitions: - HOSTNAMEANDIP: "^(%{NOTSPACE:server.domain}|%{HOSTNAME:server.domain}) \\(%{IP:server._address}\\)" + NOTCLOSINGPARENS: '[^)]*' + HOSTNAMEANDIP: '%{NOTSPACE:server.domain} \(%{NOTCLOSINGPARENS:server.address}\)' if: 'ctx.server?._temp != null && !ctx.server?._temp.isEmpty()' + ignore_failure: true - convert: - field: client._address + field: client.address target_field: client.ip type: ip - ignore_missing: true + ignore_failure: true - convert: field: client._port target_field: client.port type: long ignore_missing: true - - rename: - field: client._address - target_field: client.address - ignore_failure: true - convert: - field: server._address + field: server.address target_field: server.ip type: ip - ignore_missing: true - - rename: - field: server._address - target_field: server.address ignore_failure: true - remove: field: From d4cdf3014dd8e559db6478e9274212a4db5c3adf Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Thu, 10 Feb 2022 19:16:28 +0100 Subject: [PATCH 3/7] Be consistent about single quotes --- .../audit/elasticsearch/ingest_pipeline/default.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml index 122b26b4e8f..24264749c8a 100644 --- a/packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ b/packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml @@ -799,10 +799,10 @@ processors: - '^%{HOSTNAMEANDIP}$' - '%{GREEDYDATA:client.address}' pattern_definitions: - IPANDPORTBRACKETS: "^\\[%{IP:client.address}\\]:%{POSINT:client._port}" - IPANDPORT: "^%{IP:client.address}:%{POSINT:client._port}" + IPANDPORTBRACKETS: '^\[%{IP:client.address}\]:%{POSINT:client._port}' + IPANDPORT: '^%{IP:client.address}:%{POSINT:client._port}' HOSTNAMEANDPORTBRACKETS: '^\[%{NOTSPACE:client.domain}\]:%{POSINT:client._port}' - HOSTNAMEANDPORT: "^%{NOTSPACE:client.domain}:%{POSINT:client._port}" + HOSTNAMEANDPORT: '^%{NOTSPACE:client.domain}:%{POSINT:client._port}' NOTCLOSINGPARENS: '[^)]*' HOSTNAMEANDIP: '%{NOTSPACE:client.domain} \(%{NOTCLOSINGPARENS:client.address}\)' if: 'ctx.client?._temp != null && !ctx.client?._temp.isEmpty()' From 170e029c2a830e5448a1fb780427f00c217d5236 Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Mon, 14 Feb 2022 21:05:39 +0100 Subject: [PATCH 4/7] Better handling for IPv4 mapped IPv6 addresses --- .../test-azuread-events.json-expected.json | 1188 +++++++++++++++++ ...zuread-sts-logon-events.json-expected.json | 828 ++++++++++++ .../test-ip-formats-events.json-expected.json | 61 +- .../test-parameter-string.json-expected.json | 12 + .../test-sharepoint-events.json-expected.json | 48 + ...sharepointfileop-events.json-expected.json | 132 ++ ...st-sp-sharing-op-events.json-expected.json | 60 + .../test-yammer-events.json-expected.json | 12 + .../elasticsearch/ingest_pipeline/default.yml | 7 +- 9 files changed, 2325 insertions(+), 23 deletions(-) diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread-events.json-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread-events.json-expected.json index b201bc27b33..0dcd074a22a 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread-events.json-expected.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread-events.json-expected.json @@ -155,6 +155,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -325,6 +337,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -495,6 +519,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -674,6 +710,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -853,6 +901,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -1045,6 +1105,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -1237,6 +1309,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -1429,6 +1513,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -1621,6 +1717,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -1813,6 +1921,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -2005,6 +2125,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -2197,6 +2329,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -2389,6 +2533,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -2581,6 +2737,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -2773,6 +2941,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -2965,6 +3145,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -3157,6 +3349,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -3349,6 +3553,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -3519,6 +3735,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -3689,6 +3917,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -3868,6 +4108,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -4038,6 +4290,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -4208,6 +4472,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -4378,6 +4654,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -4557,6 +4845,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -4749,6 +5049,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -4941,6 +5253,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -5133,6 +5457,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -5325,6 +5661,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -5517,6 +5865,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -5709,6 +6069,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -5901,6 +6273,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -6093,6 +6477,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -6288,6 +6684,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -6483,6 +6891,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -6844,6 +7264,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -7036,6 +7468,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -7228,6 +7672,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -7420,6 +7876,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -7612,6 +8080,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -7804,6 +8284,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -7996,6 +8488,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -8188,6 +8692,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -8380,6 +8896,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -8572,6 +9100,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -8764,6 +9304,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -8956,6 +9508,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -9148,6 +9712,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -9340,6 +9916,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -9532,6 +10120,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -9727,6 +10327,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -9922,6 +10534,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -10114,6 +10738,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -10306,6 +10942,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -10498,6 +11146,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -10690,6 +11350,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -10882,6 +11554,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -11074,6 +11758,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -11266,6 +11962,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -11458,6 +12166,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -11650,6 +12370,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -11832,6 +12564,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -12014,6 +12758,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -12196,6 +12952,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -12378,6 +13146,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -12558,6 +13338,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -12760,6 +13552,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -12959,6 +13763,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -13158,6 +13974,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -13357,6 +14185,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -13518,6 +14358,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -13688,6 +14540,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -13858,6 +14722,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -14037,6 +14913,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -14216,6 +15104,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -14395,6 +15295,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -14565,6 +15477,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -14735,6 +15659,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -14905,6 +15841,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -15084,6 +16032,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -15263,6 +16223,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -15442,6 +16414,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -15634,6 +16618,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -15826,6 +16822,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -16018,6 +17026,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -16210,6 +17230,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -16402,6 +17434,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -16594,6 +17638,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -16786,6 +17842,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -16978,6 +18046,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -17170,6 +18250,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -17362,6 +18454,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -17554,6 +18658,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -17749,6 +18865,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -17944,6 +19072,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -18139,6 +19279,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -18327,6 +19479,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -18515,6 +19679,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -18703,6 +19879,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread-sts-logon-events.json-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread-sts-logon-events.json-expected.json index 02ae28a25c5..191aade0f9c 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread-sts-logon-events.json-expected.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread-sts-logon-events.json-expected.json @@ -94,6 +94,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -213,6 +225,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.13" }, "tags": [ @@ -332,6 +356,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -451,6 +487,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.13" }, "tags": [ @@ -570,6 +618,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.13" }, "tags": [ @@ -689,6 +749,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -808,6 +880,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -927,6 +1011,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -1046,6 +1142,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.13" }, "tags": [ @@ -1165,6 +1273,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -1284,6 +1404,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.13" }, "tags": [ @@ -1403,6 +1535,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -1522,6 +1666,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -1641,6 +1797,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -1760,6 +1928,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.14" }, "tags": [ @@ -1879,6 +2059,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -1998,6 +2190,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.13" }, "tags": [ @@ -2117,6 +2321,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.14" }, "tags": [ @@ -2236,6 +2452,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -2355,6 +2583,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -2474,6 +2714,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.13" }, "tags": [ @@ -2593,6 +2845,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -2712,6 +2976,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.13" }, "tags": [ @@ -2831,6 +3107,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -2950,6 +3238,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -3069,6 +3369,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.13" }, "tags": [ @@ -3188,6 +3500,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.13" }, "tags": [ @@ -3307,6 +3631,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.13" }, "tags": [ @@ -3426,6 +3762,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -3544,6 +3892,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -3664,6 +4024,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -3771,6 +4143,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.13" }, "tags": [ @@ -3887,6 +4271,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -3994,6 +4390,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -4111,6 +4519,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -4218,6 +4638,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -4335,6 +4767,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -4454,6 +4898,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -4573,6 +5029,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -4680,6 +5148,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.13" }, "tags": [ @@ -4797,6 +5277,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.13" }, "tags": [ @@ -4916,6 +5408,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.14" }, "tags": [ @@ -5035,6 +5539,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.13" }, "tags": [ @@ -5154,6 +5670,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -5261,6 +5789,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -5377,6 +5917,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.13" }, "tags": [ @@ -5496,6 +6048,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -5615,6 +6179,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.13" }, "tags": [ @@ -5734,6 +6310,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -5853,6 +6441,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -5972,6 +6572,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.13" }, "tags": [ @@ -6091,6 +6703,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -6210,6 +6834,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -6329,6 +6965,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -6448,6 +7096,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -6567,6 +7227,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -6686,6 +7358,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.13" }, "tags": [ @@ -6805,6 +7489,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.13" }, "tags": [ @@ -6924,6 +7620,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.14" }, "tags": [ @@ -7043,6 +7751,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -7162,6 +7882,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -7281,6 +8013,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -7400,6 +8144,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -7519,6 +8275,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.13" }, "tags": [ @@ -7638,6 +8406,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -7757,6 +8537,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -7876,6 +8668,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -7995,6 +8799,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -8114,6 +8930,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-ip-formats-events.json-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-ip-formats-events.json-expected.json index 04e7f578fdc..16bbb9a6be8 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-ip-formats-events.json-expected.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-ip-formats-events.json-expected.json @@ -253,18 +253,12 @@ ] }, "source": { - "as": { - "number": 62121, - "organization": { - "name": "Christian Ebsen ApS" - } - }, "geo": { "continent_name": "Europe", - "country_iso_code": "DK", - "country_name": "Denmark", + "country_iso_code": "NO", + "country_name": "Norway", "location": { - "lat": 56, + "lat": 62, "lon": 10 } }, @@ -311,18 +305,12 @@ ] }, "source": { - "as": { - "number": 62121, - "organization": { - "name": "Christian Ebsen ApS" - } - }, "geo": { "continent_name": "Europe", - "country_iso_code": "DK", - "country_name": "Denmark", + "country_iso_code": "NO", + "country_name": "Norway", "location": { - "lat": 56, + "lat": 62, "lon": 10 } }, @@ -335,7 +323,8 @@ { "@timestamp": "2020-02-17T17:12:03.000Z", "client": { - "domain": "[2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6]" + "address": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" }, "ecs": { "version": "8.0.0" @@ -352,12 +341,32 @@ "info" ] }, + "network": { + "type": "ipv6" + }, "o365": { "audit": { "CreationTime": "2020-02-17T17:12:03", "RecordType": "-1" } }, + "related": { + "ip": [ + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" + ] + }, + "source": { + "geo": { + "continent_name": "Europe", + "country_iso_code": "NO", + "country_name": "Norway", + "location": { + "lat": 62, + "lon": 10 + } + }, + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" + }, "tags": [ "preserve_original_event" ] @@ -365,7 +374,8 @@ { "@timestamp": "2020-02-17T17:12:03.000Z", "client": { - "domain": "[10.11.12.13]" + "address": "10.11.12.13", + "ip": "10.11.12.13" }, "ecs": { "version": "8.0.0" @@ -382,12 +392,23 @@ "info" ] }, + "network": { + "type": "ipv4" + }, "o365": { "audit": { "CreationTime": "2020-02-17T17:12:03", "RecordType": "-1" } }, + "related": { + "ip": [ + "10.11.12.13" + ] + }, + "source": { + "ip": "10.11.12.13" + }, "tags": [ "preserve_original_event" ] diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-parameter-string.json-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-parameter-string.json-expected.json index d9a510de9bc..9b28f17378a 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-parameter-string.json-expected.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-parameter-string.json-expected.json @@ -87,6 +87,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.13" }, "tags": [ diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-sharepoint-events.json-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-sharepoint-events.json-expected.json index 7d567156309..60c52b01565 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-sharepoint-events.json-expected.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-sharepoint-events.json-expected.json @@ -62,6 +62,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -149,6 +161,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -236,6 +260,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -323,6 +359,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-sharepointfileop-events.json-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-sharepointfileop-events.json-expected.json index a0a42f778ab..d86f2694dee 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-sharepointfileop-events.json-expected.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-sharepointfileop-events.json-expected.json @@ -69,6 +69,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -166,6 +178,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -263,6 +287,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -360,6 +396,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -458,6 +506,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -555,6 +615,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -652,6 +724,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -750,6 +834,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -847,6 +943,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -944,6 +1052,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ @@ -1041,6 +1161,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, "tags": [ diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-sp-sharing-op-events.json-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-sp-sharing-op-events.json-expected.json index 3c7769f073e..bb215ef57b3 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-sp-sharing-op-events.json-expected.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-sp-sharing-op-events.json-expected.json @@ -419,6 +419,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.13" }, "tags": [ @@ -512,6 +524,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.13" }, "tags": [ @@ -606,6 +630,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.13" }, "tags": [ @@ -700,6 +736,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.13" }, "tags": [ @@ -794,6 +842,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.13" }, "tags": [ diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-yammer-events.json-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-yammer-events.json-expected.json index ac999b93b96..b32566649ba 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-yammer-events.json-expected.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-yammer-events.json-expected.json @@ -64,6 +64,18 @@ ] }, "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.13", "port": 12345 }, diff --git a/packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml index 24264749c8a..2ad3797c4ed 100644 --- a/packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ b/packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml @@ -783,15 +783,16 @@ processors: } - gsub: field: client._temp - pattern: "::ffff:" - replacement: "" + pattern: '::ffff:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)' + replacement: '$1' ignore_missing: true - grok: field: client._temp patterns: - '%{IPANDPORTBRACKETS}' - - '%{IPANDPORT}' - '^%{IP:client.address}$' + - '^\[%{IP:client.address}\]$' + - '%{IPANDPORT}' - '^%{NOTSPACE:client.domain}$' - '%{HOSTNAMEANDPORTBRACKETS}' - '%{HOSTNAMEANDPORT}' From 330497cdf1b9e61dbba9cb3860b50356f5b09f24 Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Tue, 15 Feb 2022 11:14:29 +0100 Subject: [PATCH 5/7] Format --- .../o365/data_stream/audit/_dev/test/pipeline/test-bad-ips.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-bad-ips.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-bad-ips.json index 782439a6512..fe91bc4076d 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-bad-ips.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-bad-ips.json @@ -74,4 +74,4 @@ } } ] -} +} \ No newline at end of file From a1af5a98716ccc317311e6a92f4bafa507f6db53 Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Tue, 15 Feb 2022 18:19:02 +0100 Subject: [PATCH 6/7] Update version --- packages/o365/changelog.yml | 5 +++++ packages/o365/manifest.yml | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/packages/o365/changelog.yml b/packages/o365/changelog.yml index 29014c9a708..c749ad6293c 100644 --- a/packages/o365/changelog.yml +++ b/packages/o365/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.4.1" + changes: + - description: Fix grok parsing errors due to invalid IP addresses. + type: bugfix + link: https://github.com/elastic/integrations/pull/2660 - version: "1.4.0" changes: - description: Update to ECS 8.0 diff --git a/packages/o365/manifest.yml b/packages/o365/manifest.yml index 600c9625ed7..9dd4489a3dd 100644 --- a/packages/o365/manifest.yml +++ b/packages/o365/manifest.yml @@ -1,6 +1,6 @@ name: o365 title: Office 365 Logs -version: 1.4.0 +version: 1.4.1 release: ga description: Collect and parse event logs from Office 365 with Elastic Agent. type: integration From cd6d9a270297bc58cdf5ff81eba7daa157ee4622 Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Wed, 16 Feb 2022 19:09:55 +0100 Subject: [PATCH 7/7] Correct PR number in changelog --- packages/o365/changelog.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/o365/changelog.yml b/packages/o365/changelog.yml index c749ad6293c..e92e2b4f070 100644 --- a/packages/o365/changelog.yml +++ b/packages/o365/changelog.yml @@ -3,7 +3,7 @@ changes: - description: Fix grok parsing errors due to invalid IP addresses. type: bugfix - link: https://github.com/elastic/integrations/pull/2660 + link: https://github.com/elastic/integrations/pull/2669 - version: "1.4.0" changes: - description: Update to ECS 8.0